Daily Brief

A public exploit code for a critical Cisco IOS XE vulnerability (CVE-2023-20198) has been developed and used to hack tens of thousands of devices. Researchers at Horizon3.ai have shared details about how hackers can bypass authentication and create a new user with top-level privileges, giving complete control over compromised devices. Despite Cisco releasing patches for its software, internet scans show that a substantial number of systems are still being compromised. Intelligence platform LeakIX confirmed that the exploit viewed through their honeypots could successfully hack Cisco devices and execute commands that serve for reconnaissance purposes. Cisco has updated its security bulletin, adding that the only software version still affected by the issue is 17.3, with an update yet to be made available. CVE-2023-20198 was first exploited as a zero-day before Cisco disclosed it on October 16. Threat hunting platform Censys discovered 28,000 compromised Cisco hosts worldwide. Many of the hacked devices belong to major telecommunications and internet providers offering country-wide services. Current compromises estimate nearly 38,000 Cisco IOS XE hosts.

A 20-year-old from Florida, Jordan Persad, has been sentenced to 30 months' imprisonment for his role in a SIM-swap scheme that siphoned nearly $1 million in cryptocurrencies from victims. Persad also has to pay $945,833 in restitution. Persad and his associates conducted SIM swaps to gain unauthorized access to online cryptocurrency accounts. They would hijack victims' email accounts and cellphone numbers and use the reset password function on various online accounts linked to their victims' cell phones. After obtaining log files of victims' email addresses and passwords, Persad and his co-conspirators would access their email accounts, seize their SIM cards, and drain their cryptocurrency wallets. Persad confessed in a court document that, for instance, on April 4, 2022, he and his associates accessed an internet-based cryptocurrency account belonging to an Arizona resident and transferred about $28,000 worth of cryptocurrency to another wallet. The stolen funds were divided among the criminal group. In total, the group stole at least $950,000, of which Persad kept around $475,000 for himself. The FBI managed to recover some of the stolen funds following a search warrant execution at Persad's home. It remains unclear whether Persad is affiliated with the Scattered Spider group of cybercriminals known for their involvement in SIM swapping, phishing, ransomware, and extortion, even as parallels are drawn between their activities.

Hackers have reportedly leveraged a 2022 LastPass breach to steal $4.4 million in cryptocurrency from 25+ victims. The criminals exploited private keys and passphrases stored in stolen LastPass databases according to crypto fraud researchers ZachXBT and MetaMask developer Taylor Monahan. The 2022 LastPass breach saw threat actors steal source code, customer data, and production backups from cloud services, including encrypted password vaults. While the encrypted vaults were stolen, LastPass CEO Karim Toubba reassured customers that only the customers knew the master password needed for decryption. However, research suggests the hackers are cracking weaker password vaults to gain access to stored cryptocurrency wallet passphrases, credentials, and private keys. The same threat actors are believed to be linked to thefts totaling $35 million in cryptocurrency. The researchers strongly urge LastPass users affected by the 2022 breaches to reset all their passwords.

The U.S. Securities and Exchange Commission (SEC) has charged SolarWinds and its Chief Information Security Officer, Timothy G. Brown, with intentionally concealing cybersecurity weaknesses prior to the December 2020 hack linked to APT29, a Russian foreign intelligence service hacking group. The SEC alleges that SolarWinds failed to appropriately inform its investors about identified cybersecurity risks and inadequate practices that were known within the company. Timothy Brown was aware of the cyber vulnerabilities since at least 2018, according to presentations indicating the company's security left them "very vulnerable" for their critical assets. Two months before the attack, an internal document allegedly revealed that engineering teams were unable to keep up with the increasing list of security issues. In response to the charges, SolarWinds CEO Sudhakar Ramakrishna said that the enforcement action was "misguided" and "inconsistent with the progress the industry needs to make." He stated that the company communicated openly about security issues with the aim of enhancing collective security in the industry. The breach carried out by Russian APT29 led to the compromise of thousands of systems across a variety of high-profile victims, including U.S. government agencies and Fortune 500 companies.

A cybersecurity researcher identified and publicly posted an exploit for Wyze Cam v3 security devices, using two flaws in the firmware to allow for device takeover via reverse shell opening. The first weakness involved a Datagram Transport Layer Security (DTLS) authentication bypass problem in the 'iCamera' daemon, which lets attackers employ arbitrary Pre-Shared Keys (PSKs) during the TLS handshake to circumvent security measures. The second flaw emerges after a DTLS authenticated session established, permitting a stack buffer overflow due to poorly managed specific arrays. Attackers can exploit this issue to rewrite stack memory and execute their own code on the camera. Issued firmware update 4.36.11.7071 resolves the reported issues; users are advised to apply this patch as early as possible. The researcher publicly shared the exploit, criticizing Wyze's patching strategies, claiming the company released the fixes right after the competition registration deadline for the recent Pwn2Own Toronto event. Consequently, teams that had a viable exploit had to abandon their efforts. Wyze stated that they had only become aware of the issues a few days before the competition and are currently investigating whether the same vulnerabilities are in other devices' firmware. Users are strongly urged to apply the update to prevent future mass exploitation or isolate their Wyze cameras from critical networks if they can't apply the firmware update.

Three unpatched vulnerabilities in the NGINX ingress controller for Kubernetes could be exploited to steal credentials and secrets from clusters. The bugs, tracked as CVE-2023-5043, CVE-2023-5044, and CVE-2022-4886, were disclosed on October 27 and currently await triage; it's not clear if they've been exploited yet. Both CVE-2023-5043 and CVE-2023-5044, due to improper input validation, allow arbitrary code injection, the obtaining of high-level credentials, and the theft of all secrets from the cluster if exploited. The third bug, CVE-2022-4886, allows an attacker to obtain Kubernetes API credentials from the ingress controller and subsequently access all cluster secrets; it affects versions 1.8.0 and earlier. All these vulnerabilities underscore the inherent security risk posed by ingress controllers having access to TLS secrets and Kubernetes API which makes them high privilege scope workloads. The Kubernetes Security Response Committee offers mitigation measures, including setting the --enable-annotation-validation flag for the first two bugs and specific configuration dedicated to the pathType field for the third vulnerability. Since ingress controllers are typically public internet-facing components, they are highly vulnerable to external traffic entering the cluster through them, thereby rendering them as potential targets.

The U.S. Federal Trade Commission (FTC) has updated the Safeguards Rule to require non-bank financial institutions to disclose data breach incidents within 30 days. These non-bank financial institutions include insurance companies, mortgage brokers, asset management firms, motor vehicle dealers, peer-to-peer lenders, investment firms, and payday lenders. The rule mandates disclosure for security incidents that affect 500 or more consumers, particularly if unencrypted (cleartext) information was accessed by unauthorised third parties. If a law enforcement official seeks an extension, a provision has been added for a 60-day delay in public disclosure of a specific incident. Data breaches of encrypted information do not need to be reported if the encryption key was not accessed. The new reporting requirement will be effective 180 days after the rule is published in the Federal Register, which is projected to be in April 2024. This new reporting requirement does not automatically suggest a violation of the Safeguards Rule or initiate an investigation or enforcement action.

Researchers at Unit 42 of Palo Alto Networks have discovered an ongoing cryptojacking campaign, dubbed EleKtra-Leak, that steals AWS credentials exposed on GitHub repositories and uses them to mine Monero. The credentials are often stolen within five minutes of exposure, allowing the attackers to launch multiple Amazon Elastic Compute Cloud (EC2) instances which serve to mine the cryptocurrency. Between August 30 and October 6, the researchers identified 474 different miners operated by potential actor-controlled EC2 instances. Amazon's quarantine policy, attempting to prevent misuse of exposed AWS keys, is generally effective, however the attacker can bypass this in cases where the exposed keys aren't automatically detected by AWS. The criminals typically work behind a VPN to obscure their identity and use legitimate services such as Google Drive to host their mining payloads. The payload is stored as an encrypted file and is similar to a cryptojacking campaign documented earlier in 2021. The researchers suggest secret scanning as a mitigation strategy and immediate revocation of exposed AWS credentials for preventing misuse.

Google Chrome has implemented a feature named HTTPS-Upgrades which automatically transitions insecure HTTP requests to the secure HTTPS protocol. This feature is now available to all Chrome users, following a select rollout in July. Historically, browsers would make insecure HTTP requests to websites that could support HTTPS, due to older links or site content that had not upgraded to the new protocol. These unencrypted HTTP connections could be breached to steal user credentials and sensitive data. Current methods to enforce HTTPS, including the HSTS preload list or manually curated upgrade lists, face limitations due to complexity, risky setups, or limited site coverage. Maintaining an up-to-date list of HTTPS-supported sites is often difficult and bandwidth-consuming, which may result in outdated information reaching users. The Chrome upgrade offers a quick fallback option to HTTP if required and provides an opt-out header, which allows web servers that show different content on HTTP and HTTPS to stave off auto-upgrades. This change may necessitate adjustments to the Fetch specification, concerning the upgrade of main-frame navigation requests and the management of network errors in upgraded requests. The new feature does not offer lesser security than the current standard, limiting exposure to passive cyber-attackers, although active ones could disrupt the upgrade process. Meanwhile, this upgrade could decrease developers' motivation to rectify HTTP references but serves as a proactive measure to strengthen user security, especially for sites that are unlikely to transition to HTTPS.

Toronto Public Library (TPL) has been targeted by a cyberattack, causing many of its online services to be taken offline. TPL, Canada's largest public library system, has not provided specifics about the incident, though it stressed there's currently no evidence of exposed customer or staff data. While the main website is unreachable, library branches remain open, WiFi and telephone services are available, and a number of online services hosted elsewhere are still accessible. Full system restoration is projected to take several days due to a proactive response to the incident and robust security measures. This incident adds to a series of recent cyberattacks on Canadian organizations, including IT outages at five Ontario hospitals and data theft incidents at Air Canada and Petro-Canada gas stations. No ransomware actors have claimed responsibility for the attack at the time of writing.

A new data-destructing malware called BiBi-Linux has been identified, which targets Linux systems owned by Israeli companies. The malware was discovered during the breach investigation of an Israeli organization's network. BiBi-Linux does not adopt common malware behaviors such as establishing communication with C2 servers for data exfiltration, employing reversible encryption algorithms, or leaving ransom notes. Upon execution, it corrupts files by overwriting them with useless data, resulting in damage to both the data and the operating system of the affected device. The payload found on the victim's systems allows attackers to select which folders to affect, and if no target path is provided, it can wipe the entire operation system. The malware does not feature any type of obfuscation, packing, or protective measures, indicating that the attackers are not worried about their tools being analyzed but instead focus on the impact of their attack. This new threat comes amidst other destructive malware attacks on Ukrainian organizations by Russian threat groups since the invasion in February 2022.

A new malware dubbed the BiBi-Linux Wiper has been identified in attacks against Israeli entities, believed to be orchestrated by a pro-Hamas group. The executable malware has the ability to target specific folders, potentially causing substantial system-wide damage when enabled with root permissions. The malware incorporates multithreading capabilities allowing it to corrupt multiple files concurrently, enhancing its effectiveness. It can also overwrite and rename files, incorporating the name "BiBi" in a nod to Israeli Prime Minister, Benjamin Netanyahu. Its coding allows it to target entire directories if no specific path is provided, although root permissions are necessary to execute the operation at this level. The cyber threat group is suspected to be linked to Arid Viper, believed to be affiliated with Hamas and organized into two sub-groups with focuses on cyber espionage in both Israel and Palestine. The group, Arid Viper, employs social engineering and phishing attacks as initial intrusion tactics to distribute a range of custom malware and spy on its victims, including constitutional sectors such as defense and government organizations, law enforcement agencies and political groups.

Stanford University is investigating a ransomware group attack by Akira, marking the third such intrusion at the institution in as many years. Akira claims to have stolen 430GB of data from the university but shared few other details. The incident seems to have primarily affected Stanford's Department of Public Safety (SUDPS) with no indications that other university parts or the police response to emergencies were affected. The impacted SUDPS system has since been secured. Ransomware attacks against Stanford were also claimed by Cl0p earlier this year and last year, the latter involving a compromise of Accellion FTA. The Akira ransomware-as-a-service operation began in March 2023, and is believed to have key operatives with extensive experience behind it, potentially from the same group responsible for the Conti ransomware strain. According to a report from energy service provider BHI Energy, in a similar incident, the Akira group used stolen VPN credentials for initial intrusion and internal reconnaissance before stealing large amounts of data and running a ransomware payload. Despite the similarities to the Conti ransomware group, Akira code analysis shows that it varies significantly from the similarly named group operating in 2017.

Huawei, Honor, and Vivo smartphones and tablets have been warning users about Google app as a malware 'TrojanSMS-PA'. Users are being advised to uninstall the app immediately due to a supposed 'high risk' level. The security alerts detail that the app was detected privately sending texts, enticing users with adult content, downloading/installing apps privately or stealing sensitive information. However, it seems to be a case of false positives. Google Play Protect is not triggering these alerts, with a Google spokesperson recommending that users contact their device manufacturers for further details. Alert signals were found to be sent by the 'Huawei Optimizer' app, but what is causing this in Vivo or Honor phones is presently unclear. As of now, no official comments have been made by the device manufacturers to confirm these are indeed false positives. Clearing the cache or the data in settings or uninstalling and reinstalling the app have been proposed as solutions to disabling the false alarms. Both Huawei and Vivo are yet to officially respond to these false positives or provide an explanation.

The upcoming webinar will focus on web application security, utilizing findings from "OPSWAT 2023 State of Web Application Security Report," and featuring insights from leading cybersecurity experts. The use of cloud infrastructure and containerization in modern web app development can result in multiple attack vectors, exploiting file uploads when working with public clouds and vulnerabilities in containers used for web applications. Web application platforms like Microsoft Azure, Amazon Web Services, and Google Cloud Platform require dedicated security measures, without which applications may be exposed to data breaches. While containers can offer several significant benefits, they can also bring along additional security risks. Potentially dangerous malware or vulnerabilities concealed in these containers can lead to business disruption, customer data risk, and compliance violation. To prevent damaging data leaks, the webinar panel will discuss existing pitfalls and the tools necessary for malware and sensitive data checks. Even with an increase in security budgets, most organizations only use a limited number of AV engines for malicious file detection. A walking away point from the webinar would be a set of key web application security insights and strategies, especially around the relatively-underused Content Disarm and Reconstruction (CDR) technology.