Daily Brief

The US-led Counter Ransomware Initiative (CRI) summit aims to secure an agreement among 48 countries not to pay ransom to cybercriminals. During this summit, CRI plans to leverage artificial intelligence to trace cryptocurrency ransom payments and identify perpetrators. Aside from tracking illicit fund flows, CRI countries will improve their information-sharing capabilities, with Lithuania developing one platform and another being created jointly by Israel and United Arab Emirates. The summit attendees will sign a policy statement declaring that governments will not pay ransom money, although the policy does not seem to cover private enterprises. The US Treasury will share a list of cryptocurrency wallets used to move ransom payments and CRI countries will assist others attacked by ransomware. The US is the most targeted by ransomware, accounting for 46% of all global attacks. Charles Carmakal, Mandiant's chief technology officer, asserts that banning ransom payments is a valuable step, however more needs to be done on criminal deterrence through arrests, and victims need to receive better support in the aftermath of attacks.

Citrix Bleed, a critical information-disclosure bug affecting NetScaler ADC and NetScaler Gateway, is now undergoing "mass exploitation," with at least 2 ransomware syndicates involved. As of October 30, Shadowserver identified over 5,000 vulnerable servers on the public internet while GreyNoise observed 137 unique IP addresses attempting to exploit this vulnerability. Citrix initially patched the flaw (CVE-2023-4966) on October 10, but the patch does not invalidate copied session tokens, allowing hackers to impersonate authenticated users even if the vulnerability has been patched. Multiple sectors, including the tech industry and government agencies globally, are being exploited by four distinct groups being tracked by Mandiant. Security firm Assetnote's publication of a technical analysis of the bug, demonstrating how it could be used to steal session tokens, has led to an increase in scanning activity for vulnerable endpoints. The US government's Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, but still lists the vulnerability under the "used in ransomware campaigns" as "unknown." Citrix has not commented when asked if the bug has been reported being exploited by ransomware groups.

The cybersecurity company Avast confirmed that its antivirus software development kit (SDK) was erroneously flagging a Google app as malware on Huawei, Vivo, and Honor smartphones. Users of affected devices were alerted to delete the Google app due to risks such as secretly sending SMS messages, downloading and installing other apps, or stealing personal data. Some notifications even marked the Google app as a trojan, capable of providing remote access to user devices for attackers intending to install malware or steal data. This false detection was reported on multiple forums such as Google's support forum, Reddit, Huawei's forum, and more. The issue only affected users outside China and a small number of Honor and Vivo customers. Avast promptly addressed and resolved the issue on October 30. Google urged users to contact the device manufacturer for further information and affirmed that Google Play is the only official platform for downloading Google’s core apps for Android.

Software developer Simon Dankelmann has created an Android app that can carry out Bluetooth spam attacks, similar to those previously conducted via the Flipper Zero hardware, a device used for software-defined radio applications. The 'Bluetooth-LE-Spam' app is able to generate BLE (Bluetooth Low Energy) packages mimicking other devices to send spam alerts to nearby Windows and Android users. The app is still in the early stages of development, although initial tests confirmed it can broadcast connection requests as frequently as one per second, targeting Android's 'Fast Pair' feature and Windows' 'Swift Pair' feature. Limitations in Android's software development kit may affect the app’s efficiency compared to Flipper Zero, resulting in poor reception because developers have limited control over the data being broadcast relative to the transmission power level. The app's broadcasting function can also cause Bluetooth-enabled devices like mice and keyboards to become unresponsive, which could be utilized for "denial of service" attacks. Currently, the app represents more of a potential for disruption rather than a serious security threat to users. Devices targeted can stop spam notifications by disabling the relevant setting. BleepingComputer has advised against testing the app on primary devices due to potential safety risks as no official guarantee has been provided that the project is safe.

Two American nationals, Daniel Abayev and Peter Leyman, and two Russian nationals, Aleksandr Derebenetc and Kirill Shipulin, have been charged with hacking the taxi dispatch system at John F. Kennedy International Airport in New York in order to sell front-of-line positions to taxi drivers. The alleged hacking occurred between September 2019 and September 2021, and the American duo pleaded guilty in early October. The scheme exploited the demand of taxi drivers for profitable airport fares and aimed to alleviate drivers' financial incentive to avoid waiting in lines. The alleged hackers made efforts to gain access to the dispatch system, such as, bribing personnel to insert a malware-containing flash drive into system-connected computers, unauthorized access via Wi-Fi connections, and stealing system-connected computer tablets. The group purportedly offered queue-jumps for $10 and waived fees for drivers who provided referrals, allegedly enabling as many as 1,000 queue-skipping trips per day. The dispatch system was accessed multiple times, resulting in substantial earnings for the group; the accused Russians earned over $100,000 from the scheme, sent to them under the guise of "payment for software development" or "payment for services rendered." The American defendants face up to five years in prison and the Russian defendants could face a maximum sentence of ten years if apprehended.

The British Library experienced a significant IT outage impacting its website and various services following a cyber incident on October 28. The outage affected other services, including phone lines and on-site library services in London and Yorkshire. However, facilities such as Reading Rooms remained operational. While physical items requested before the attack are available on site, there is limited manual ordering of collections in London, no access to digital collections or digital catalog, and exhibition tickets can be only bought onsite using cash. No details have been provided about the type of attack, how malicious actors breached the library’s systems, or whether personal or financial information was compromised during the attack. The National Cyber Security Centre (NCSC) and other cybersecurity specialists are working with the library to investigate the incident. As one of the world’s most extensive collection libraries, the British Library hosts over 150 million items and receives over 11 million online visitors annually. Over 16,000 people use its collections daily, both on-site and online.

Australian software company, Atlassian, warns of a critical security flaw in Confluence Data Center and Confluence Server software that could lead to data loss if successfully exploited. The vulnerability, described as an improper authorization issue and tracked as CVE-2023-22518, severely risks publicly accessible Confluence instances. The flaw can be used by threat actors to destroy data on affected servers, but does not affect confidentiality as it cannot be utilized to extract instance data. Cloud services accessed via an atlassian.net domain are safe from this vulnerability. Atlassian patched the critical CVE-2023-22518 vulnerability in Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1, urging admins to back up unpatched instances and block Internet access until upgrades are implemented. CISA, the FBI, and MS-ISAC previously warned to patch Atlassian Confluence servers against an actively exploited privilege escalation flaw tracked as CVE-2023-22515. The Chinese-backed Storm-0062 (aka DarkShadow or Oro0lxy) threat group had reportedly exploited this flaw as a zero-day since at least September 14, 2023.

Ace Hardware, a US-based hardware cooperative, suffered a severe cyberattack on Sunday, impacting majority of its IT systems and hindering many key operations. The attack led to disruptions in the company's warehouse management systems, retailer mobile assistant system, invoicing system, and customer reward and care center's phone system. While the type of attack is yet to be specified, digital forensic experts have been called in to aid in the restoration process. Although the company's online orders and deliveries were suspended, the organization claimed that in-store payments and credit card processing were unaffected. Warehouse employees and other staff are reportedly concerned about pay delays following the cyber attack. The company has recently reported a decrease in revenues, with a 5.8% step-down compared to the same quarter in the previous year.

Representatives from 40 countries will commit to discontinuing ransom payments to cybercriminal gangs at the third annual International Counter-Ransomware Initiative summit. The move comes in response to rising global ransomware threats, with the United States bearing the brunt of these attacks, accounting for roughly 46% of incidents worldwide. The summit will explore strategies to cut off funding for ransomware operations, aiming to undermine a critical driver of the industry: the profitable nature of such attacks. Despite 48 countries, the European Union, and Interpol participating in the summit, it remains unclear whether all attendees will agree to the pledge. Ransomware incidents saw a peak in September, with North America being the most targeted region. Over the last two years, numerous governments have suffered severe disruptions due to ransomware attacks. The summit follows the inaugural event organized by the White House National Security Council in October 2021, during which 31 countries pledged to propagate efforts to disrupt ransomware groups' abuse of cryptocurrency.

Samsung has introduced a new security feature called 'Auto Blocker' with the One UI 6 update which provides increased malware protection on Galaxy devices. The opt-in feature prevents the sideloading of apps from sources outside the Galaxy Store and Google Play in an attempt to shield users from social engineering attacks. For users who need to install apps from unofficial channels, Auto Blocker can be deactivated and the feature also includes app security checks powered by McAfee. Auto Blocker blocks unauthorized commands and software installations via the USB port, which can secure users when they charge their devices at public stations. Alongside the launch of One UI 6, Samsung has also improved Message Guard to offer support for popular third-party messaging apps including Messenger, Telegram, KakaoTalk, and WhatsApp. Initially, only the Galaxy S23, S23+, and S23 Ultra have received the update which includes Auto Blocker and the updated Message Guard, but more devices are expected to receive it soon. Users of compatible devices can activate the protection feature through the settings menu and are advised to also use a third-party mobile security solution for greater security.

The U.S. Federal Trade Commission (FTC) has approved amendments to its Safeguards Rule, which mandate non-banking financial organisations to report data breaches within a 30-day timeframe. The rule will apply to the likes of insurance firms, mortgage brokers, payday lenders, and car dealerships. Targets of the amendment entities responsible for the safekeeping of customers' financial information are required to inform the FTC in case of a data breach involving 500 or more consumers, as quickly as possible but no later than 30 days after the incident's discovery. The FTC rule amendment reflects similar legislative measures adopted by state governments across the U.S. for instance, in California, businesses are required to disclose breaches that affect 500 or more state residents. The mandatory disclosure is estimated to affect an additional 155 firms and the new rule will come into effect 180 days after it is published in the Federal Register, probably by 2024. The FTC initiative aligns with recent moves by the Securities and Exchange Commission (SEC), which introduced its mandatory breach reporting rules in July with an even tighter four-day window. The Department of Homeland Security (DHS) is also examining ways to streamline the reporting of security incidents at the federal level, including proposing a single reporting portal.

Security researchers from Infoblox uncovered a massive cybercrime link shortening service operated by an actor they've named Prolific Puma. Operating undetected for at least four years, Prolific Puma has registered thousands of domains largely on the U.S. top-level domain (usTLD) to facilitate delivery of phishing, scams, and malware. Prolific Puma's method often involves multiple redirects through shortened links to the landing pages. Some links also lead users to a CAPTCHA challenge, possibly to shield against automated scans. The actor is suspected to serve multiple clients as the nature of the short links varied. Delivery methods include text messages, social media, and advertisements. The-operator registered up to 75,000 unique domain names since April 2022, spread across 13 TLDs but primarily using usTLD. To circumnavigate detection and scrutiny, Prolific Puma "ages" its domains by leaving them inactive for a few weeks before moving them to a bulletproof hosting provider. Infoblox believes that Prolific Puma only provides the link shortening service while the control of landing pages is likely with different actors. However, they do not rule out the possibility of Prolific Puma controlling the entire operation.

Canada's Treasury Board President, Anita Anand, has announced a ban on the use of Tencent's WeChat app and Kaspersky security products on state-issued mobile devices over privacy and security risks. The Canadian government expressed fears that these companies could secretly relay sensitive information to Russian and Chinese intelligence agencies. Although no verified incidents of compromising government data have been reported, the potential risks linked with the data collection methods of these apps, particularly on mobile devices, are considered unacceptable. The ban will be implemented from October 30, 2023, by which time, all designated software must have been removed. Download options for these apps will also be blocked post this deadline. While the government supports individual freedom in choosing apps, they advise referring to the Canadian Cyber Centre's recommendations. Kaspersky argues this decision wasn't based on a technical evaluation of their products but is politically motivated, rejecting all claims as groundless. It suggests the action is part of Canada's response to the existing geopolitical climate. Other countries, including the U.S., Germany, Italy, and the U.K., have previously expressed concerns about and imposed restrictions on Kaspersky products over issues related to potential Russian espionage risks.

Threat actors have targeted the NuGet software distribution system in a new typosquatting campaign, using its MSBuild integration to execute code and install malware. The campaign was detected by ReversingLabs on October 15, 2023, and uses packages leveraging MSBuild integration instead of the common approach of incorporating downloaders in the install scripts. MSBuild integration's ability to automatically run scripts when a package is installed has generated security concerns, with the malicious code spotted by ReversingLabs hidden in a “build” directory. This abuse of MSBuild integration was initially introduced by a security researcher in 2019 to show how it can be used to run code when NuGet packages are installed, but this is the first recorded use by threat actors. The malicious packages are part of a campaign that began in August 2023 but did not abuse MSBuild integrations until mid-October 2023. The attackers have been refining their techniques, initially using PowerShell scripts to fetch the malware from a GitHub repository, and after the packages were removed, immediately tried to upload new ones, indicating an intent to continue the campaign.

The British Library had to grapple with an unresponsive website, WiFi, phone lines, and other services after a "cyber incident" led to a significant IT outage. The outage started on the morning of October 28, and its effects continue to be felt, impacting both the St Pancras site in London and locations in Yorkshire. This security issue has been so severe that internal experts as well as the National Cyber Security Centre (NCSC) are involved in the process of investigation and response. Despite the major technology blackout, the British Library has kept its sites open, reminding visitors and patrons of available services through social media, while warning about limitations due to the issue. Payments in cash are being accepted as one of the workarounds, while ordering and collection of items remain limited. The library is yet to confirm details about the nature of the security incident and has not issued any statement on the reports of problems with its VMware ESXi servers, which have been blamed for exacerbating the situation.