Daily Brief

ServiceNow, a cloud-based platform used for automating IT service management, has reported that due to misconfigurations within the platform, there is a potential for "unintended access" to sensitive data. The issue stems from security controls in a ServiceNow Access Control List (ACL) widget called Simple List, which by default could be accessed remotely by unauthenticated users. These tables could contain sensitive data, including content from IT tickets, internal knowledge bases, and employee details. These misconfigurations have been present since the introduction of Access Control Lists in 2015. Although no incidents have been reported to date, the recent publication of the data leakage research could expose companies to more risk if left unresolved. ServiceNow remediated the issue in multiple locations within the application; however, it is recommended that companies double check to ensure all exposure risk is eliminated. Organizations using a SaaS Security Posture Management (SSPM) solution, like Adaptive Shield, are able to identify risky misconfigurations and adjust settings to prevent data leakage, providing a better understanding of their company's security posture and potential attack surface.

A campaign known as EleKtra-Leak is exploiting exposed Amazon Web Service (AWS) Identity Access Management (IAM) credentials on GitHub to facilitate cryptojacking operations. Active since December 2020, this attack is thought to have mined Monero from as many as 474 unique Amazon Elastic Compute Cloud (EC2) instances. AWS IAM credentials are typically targeted within four minutes of exposure on GitHub, suggesting an automated approach by threat actors to clone and scan repositories for key exposure. The adversary behind the attack has also been seen blacklisting AWS accounts that publicize IAM credentials, suggesting an attempt to prevent further analysis of their activities. There is an indication that this attacker may also be linked to another cryptojacking campaign that targeted poorly secured Docker services. This campaign has been successful by exploiting gaps in GitHub's secret scanning feature and in AWS' strategy for flagging and preventing the misuse of exposed IAM credentials. Cybersecurity firm Unit 42 found that in the attacks, the stolen AWS credentials were used to perform account reconnaissance, create AWS security groups, and launch multiple EC2 instances, with cryptomining operations conducted on c5a.24xlarge AWS instances due to their higher processing power.

Three high severity security flaws have been discovered in the NGINX Ingress controller for Kubernetes, which could enable a threat actor with access to steal secret credentials from the cluster. The vulnerabilities (CVE-2023-5043, CVE-2023-5044, and CVE-2022-4886) could allow an attacker to inject arbitrary code into the ingress controller process, gaining unauthorized access to sensitive data. The lack of validation in the "spec.rules[].http.paths[].path" field could permit siphoning off Kubernetes API credentials from the ingress controller. While there are no patches currently available, software maintainers have released mitigations involving enabling the "strict-validate-path-type" option and setting the --enable-annotation-validation flag to prevent creation of Ingress objects with invalid characters and enforce additional restrictions. ARMO, the Kubernetes security platform, said that updating NGINX to version 1.19 along with adding the "--enable-annotation-validation" command-line configuration could resolve CVE-2023-5043 and CVE-2023-5044. These vulnerabilities highlight the security concerns with ingress controllers, due to their access to TLS secrets and Kubernetes API, and their vulnerability to external traffic as a public internet-facing component.

A new cybersecurity attack campaign has been found using MSIX Windows app package files for known software to distribute malware named GHOSTPULSE. MSIX is a Windows app package that is commonly used by developers to distribute and install apps but require an access to purchased or stolen code signing certificates, making it an attractive tool for hackers. Potential victims are usually enticed into downloading the MSIX packages through techniques like compromised websites, search engine optimization poisoning, or malvertising. Once the MSIX file is opened and installed, GHOSTPULSE is downloaded on the compromised host from a remote server through a PowerShell script. The malware has multiple stages of attack, involving a TAR archived file containing an executable that appears to be an Oracle VM VirtualBox service, a DLL side-loading, and process doppelgänging. This type of attack is highly evasive as it minimizes the on-disk footprint of encrypted malicious code, making it more difficult for antivirus and machine learning scans to detect. As a loader, GHOSTPULSE can introduce a range of malware, including SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.

Ransomware gang LockBit claims to have exfiltrated a significant amount of sensitive data from aerospace company Boeing, threatening to expose this information if not engaged with by 2 November. The potential data theft could have substantial repercussions given Boeing's military clientele. The company is currently assessing the claim. Reports suggest an affiliate of LockBit led the attack, using a zero-day exploit. LockBit has made approximately $90 million in the USA alone since 2020. The Clark County School District in Las Vegas has reported a data breach, leading to sensitive information about students and their parents being emailed to the latter. The nature and extent of the breached information make this a serious cyber incident. The school claimed cybercriminal/s accessed limited personal data, and impacted parties are being notified. The school district has also locked down access to its Google Workspaces. Extensive data from the school district was reportedly published on a file-sharing site but has since been taken down. Among the leaked data were personal email, demographic information on 25k district graduates, disciplinary records, health data, internal communications, and district financial information. Even as critical vulnerabilities have emerged, the US Cybersecurity and Infrastructure Security Agency (CISA) warned against a proposed 25% cut to its budget, which would severely hamper its operations. Further, six individuals were arrested in Nigeria for alleged cybercrimes.

A new Ransomware-as-a-Service named Hunters International, which uses code similar to the former Hive ransomware operation, emerged and suggests the revival of Hive under a different guise. Researchers analyzing the malware found a significant similarity to the code used in Hive ransomware attacks, with an overlap of more than 60% in their codes. Despite the similarities, Hunters International denies any connection to Hive and claims they are a new service on the ransomware scene having bought Hive's encryptor source code. Hunters' malware appends ".LOCKED" to processed files and leaves a text file with instructions for victims to contact the attacker over Tor, a chat page protected by a unique login for each victim. The group's data leak site currently shows only one victim a UK-based school from which the attackers allegedly extracted around 50,000 files. The previous Hive ransomware operation reportedly ceased after an international operation seized its Tor payment and data leak sites in January, though the group supposedly breached over 1,300 companies and received nearly $100 million in ransom payments. Whether Hunters represents a revival of Hive or a new, independent operation despite the clear similarities in code remains uncertain.

Austrian police have arrested 20 people associated with the operation of a large scale illegal IPTV network and seized $1.74m. The network operated between 2016 and 2023, decrypting copyrighted broadcasts and selling them to its customers. The operation involved 80 alleged criminals, all Turkish citizens, and was structured with a hierarchy of suppliers and resellers. Cutomers were acquired primarily through word-of-mouth marketing, with many also turning into resellers. The arrests took place around Austria, with operations in Vienna, Lower Austria, Salzburg, Vorarlberg, and Tyrol. The arrested individuals have been charged with commercial fraud, money laundering, violations of the Access Control Act, and the Copyright Act.

The fifth largest U.S. school district, Clark County School District (CCSD), in Nevada experienced a major data breach where personal details of students, parents, and employees were stolen. Hackers have initiated email threats to parents warning that their child's data was exposed; the emails contain attachments with stolen student data such as photos, addresses, student ID numbers, and email addresses. Following the cyberattack, CCSD suspended access from external accounts to its Google Workspace and reset all student passwords. It also engaged a team of forensic experts and is working with law enforcement on the case. The group claiming responsibility for the breach, 'SingularityMD', allege they still have access to CCSD's network and aim to continue intervening until the school district fulfills its ransom demand. Reports indicate that the stolen data, hosted on dark web and clearweb sites, appears legitimate, including students' emails, birth dates, ethnicity, PSAT scores, health information, suspensions, incident reports, as well as the district's financial reports, staff salaries and grant information. CCSD has yet to respond to confirm the veracity of the leaked data or the ongoing security concerns; however, the leaked data's authenticity is confirmed by parents who have received it.

HackerOne, an ethical hacking platform, paid out over $300 million to ethical hackers and vulnerability researchers through its bug bounty programs. Thirty individuals have earned more than a million USD each for their bug submissions, with one hacker earning over $4 million for bug reports. The platform allows organisations to manage reports and resolve identified software issues promptly, enabling an average 28% faster remediation of bugs compared to last year. HackerOne released its '2023 Hacker-Power Security Report', highlighting that crypto and blockchain companies continue to engage the most ethical hackers due to a promise of higher payouts. Over half of the ethical hackers in these programs utilise generative AI for various tasks, with 61% planning to use it to discover more vulnerabilities in the future. The survey also revealed motivations and discouraging factors for hackers participating in the program, with bounty rewards being the most significant motivator (73%) and slow response times as the most discouraging factor (60%).

A lawful attempt was made to covertly wiretap traffic from XMPP-based instant messaging service jabber[.]ru. The attackers used servers hosted on Hetzner and Linode in Germany. The attacker issued new TLS certificates through Let's Encrypt service to hijack encrypted STARTTLS connections. The presence of man-in-the-middle (MiTM) attack was detected due to the expiration of one of the MiTM certificates. Based on evidence collected, it is believed that the traffic redirection was setup on the hosting provider's network, thereby eliminating the likelihoods of a server breach or spoofing attack. The wiretapping activity lasted roughly six months, from April 18 to October 19. The activity was first deemed suspicious on October 16 when a UNIX administrator received an expiration message. The actor suspected to be behind the activity is unclear. It is suspected that the attack could be lawful interception based on a German police request, or an intrusion on the internal networks of both Hetzner and Linode. The attack has allowed the perpetrators to perform any activity as if it originated from the authorized account. It is recommended users assume their previous 90 days of communication is compromised and users should check for unauthorized keys and change passwords.

Apple's privacy protection feature, 'Private Wi-Fi Address' promised to spoof MAC addresses to protect user's privacy but has not been functioning properly since its introduction in September 2020 due to a bug. The feature was intended to generate different MAC addresses to avoid user tracking or profiling on Wi-Fi networks, however, a bug in mDNSResponder, related to Apple's Bonjour networking protocol, rendered it ineffective. The bug would expose the device's real MAC address in AirPlay discovery requests while the device was connected to the network, undermining the privacy protection feature. The bug was identified by Tommy Mysk and Talal Haj Bakry of Mysk Inc, who used a network protocol analyzer to reveal that the real MAC address was being sent along with the generated one. Apple patched the bug with the release of iOS 17.1, iPadOS 17.1, watchOS 10.1, and iOS 16 and iPadOS 16, but failed to provide the fix for users still using iOS 15. This issue highlights the importance of regular system updates to ensure network security and privacy protection.

The Pwn2Own Toronto 2023 hacking event concluded with security researchers earning over $1 million for 58 zero-day exploits. Researchers took aim at a wide range of consumer products, including, but not limited to, mobile phones, printers, routers, home automation hubs, and surveillance systems. Among the devices tested, Samsung Galaxy S23, despite running the latest security updates, was hacked four times. Pentest Limited and STAR Labs SG teams were able to exploit weaknesses in input validation to gain code execution and were respectively awarded $50,000 and $25,000. The winners of this event were Team Viettel who managed to win $180,000 and 30 Master of Pwn points. Vendors who had their products targeted during the event will have 120 days to release patches for the vulnerabilities identified before the Zero Day Initiative publicly discloses them. The previous Pwn2Own event in Vancouver rewarded competitors with a combined prize of $1,035,000 and a Tesla Model 3 for 27 zero-day exploits.

Ransomware attacks hit a record high in September 2023 with 514 attacks surpassing the previous March 2023 peak of 459, according to NCC Group data. Check Point Software reported a 3% increase in ransomware attacks in 2023, while a Chainalysis report projected that ransom payments may exceed $500m by year-end, marking 2023 a record year for ransom payments. Microsoft highlighted the "Octo Tempest" group as one of the "most dangerous financial criminal groups," with the threat actors involved resorting to hacking tactics, SIM-swapping attacks, and threats of violence, and being connected to the BlackCat ransomware group. The Octo Tempest group is believed to be behind recent ransomware attacks on MGM Resorts and Caesars, as well as previous attacks on Reddit, MailChimp, Twilio, DoorDash, and Riot Games. American Family Insurance, BHI Energy, University of Michigan, TransForm, LDLC ASVEL, Chile's Grupo GTD, and Seiko confirmed separate cyberattacks including ransomware attacks which exposed sensitive customer data. Among the ransomware attacks, new types of ransomware include the JarJets ransomware, the .Jarjets extension, and the new BlackDream ransomware with the .BlackDream extension.

F5, a software firm specialising in application services and application delivery networking (ADN), issued a fix for a remote code execution (RCE) bug in its BIG-IP suite, providing hotfixes and temporary mitigations for vulnerable versions. The RCE bug, discovered by researchers at Praetorian, received a severity score of 9.8 out of 10 on the CVSS scale, indicating high risk; exploitation could lead to total system compromise. The flaw was initially reported to F5 in early October; the firm accelerated mitigations after learning that the vulnerability could be known to outside entities. The discovered vulnerability is deemed an Apache JServ Protocol (AJP) smuggling issue; further technical details of the bug and exploitation process are being withheld pending wider implementation of F5's fixes. F5 issued an advisory highlighting two additional issues impacting BIG-IP alongside the Praetorian-discovered bug: a cache poisoning issue with no current fix and an SQL injection vulnerability.

The North Korean Lazarus hacking group successfully breached a software vendor multiple times, despite the availability of patches and warnings, hinting at a possible aim to steal source code or initiate a supply chain attack. Lazarus exploited vulnerabilities in the company's software even as it targeted other software makers, according to Kaspersky. The security firm discovered the attacks in July 2023. Lazarus targeted legitimate security software used for web communications encryption, though the exact attack method is unclear. The breach resulted in the deployment of the SIGNBT malware and a malicious DLL, enabling persistency and continuation of the attack on intended targets. SIGNBT also fetches additional payloads from the command and control server and deposits them on the host, a feature leveraged by Lazarus to download credential dumping tools and another malware, the LPEClient. Kaspersky observed Lazarus using LPEClient in other campaigns run in 2023, using it at earlier infection stages to introduce other payloads. The Lazarus group remains one of the most active and dangerous cyber threat actors, with their tactics highlighting the necessity for organizations to promptly apply patches and prevent the easy exploitation of vulnerabilities.