Daily Brief

Citrix advises administrators to promptly apply a patch to address a significant information disclosure bug, CVE-2023-4966, that impacts on NetScaler ADC and NetScaler Gateway. An exploit POC named Citrix Bleed has been posted on GitHub. The company has issued a patch to remedy compromised devices, with the first one issued on October 10. Notably, Mandiant highlighted that criminals, possibly cyberspies, have been exploiting this vulnerability to commandeer authentication sessions and steal corporate information since late August. If NetScaler ADC configuration has been used as a gateway or as an AAA virtual server, Citrix strongly recommends immediate installation of the recommended builds. Attacks exploiting this weakness have been reported but no details about these specific attacks have been disclosed by the company. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-4966 to its catalog of Known Exploited and Vulnerabilities, classifying the bug as "unknown" in being used in ransomware campaigns. CISA urgently advises federal agencies, and those businesses transacting with them, to fix this flaw.

Ontario-based shared service provider TransForm, a not-for-profit organization that manages IT, supply chain, and accounts payable for five hospitals, has suffered a cyberattack causing an IT outage and subsequent disruption of operations in the hospitals. The attack has affected patient care, with appointments for non-emergency cases needing to be rescheduled. TransForm has stated they're investigating the breach, but it remains unclear whether any patient data has been compromised. All five hospitals who rely on TransForm’s services have been affected and have issued a joint statement to patients detailing the disruption. Users who have recently received treatments at the hospitals are advised to maintain vigilance and to treat unsolicited communications with suspicion.

State and key industrial organizations in Russia were attacked using a custom-built Go-based backdoor that supports data theft and espionage activities. Cybersecurity firm Kaspersky first detected the activities in June 2023. An advanced version of the backdoor, with improved evasion abilities, was spotted by Kaspersky mid-August, implying the ongoing enhancement of the attacks. The attack starts through an email carrying a malicious Nullsoft archive executable disguised as 'financial control'. It further contains a decoy PDF document and an NSIS script that launches the malware payload from an external URL. Two additional backdoors, 'Netrunner' and 'Dmcserv', released in the same phishing wave had different command and control server configurations. To resist detection, the malware encrypts all data sent to the command and control server and performs checks to detect if it's being run in a virtual environment. A new version of the backdoor released in mid-August exhibits file-stealing capabilities, targeting user passwords stored in 27 web browsers and the Thunderbird email client. This version uses updated encryption and employs RSA asymmetric encryption for added security.

Matrix messaging network has released its second major version that includes end-to-end encryption for group VoIP, faster loading times, and an improved user experience. Matrix now boasts of more than 115 million users as of recent reports, experiencing rapid growth in public sector organizations, businesses, and individual users. The upgrade to Matrix 2.0 introduces various new features such as scalable native group VoIP supporting large conference calls with hundreds of participants, Sliding Sync API for faster initial syncing and logging in and transitioning to industry-standard OpenID Connect authentication protocol. The Matrix Foundation claims that their new Sliding Sync makes client apps operating on the protocol quicker than iMessage, WhatsApp, and Telegram. Matrix 2.0 also enhances room joining speed through the implementation of a ‘lazy-loading’ mechanism on the client API, enabling more efficient and speedy resource loading. The Element X app is recommended for new users as it incorporates all the latest features of Matrix 2.0, it is used by entities where communication safety is paramount such as NATO, UN, US Department of Defense, German and Ukrainian Armed Forces, UK Ministry of Defense, and the French Government.

Former National Security Agency (NSA) employee, Jareh Sebastian Dalke, has pleaded guilty to six counts of violating the Espionage Act by trying to sell classified information to who he thought were Russian spies, but were actually FBI agents. Dalke, a former US Army soldier who had only worked at the NSA for less than a month, is due to be sentenced in April 2024 and faces up to life in prison, although this could be capped at just under 22 years if he cooperates fully with the authorities. Dalke admitted to transmitting excerpts of three classified documents and four complete documents to an online covert FBI employee, all of which contained classified top secret national defense information. Debt was stated as the key motivation for Dalke's actions; he was $237,000 in debt with $93,000 due soon and had requested $85,000 in cryptocurrency for all the documents in his possession. Dalke's actions were discovered due to comprehensive activity logs on the NSA's systems that revealed he had printed the documents he sent to the FBI. He also moved cryptocurrency received from the FBI into a personal bank account. Dalke is the latest in a spate of recent US espionage cases, including a US Air Force National Guard member posting classified information online and two US Navy sailors pleading guilty to giving sensitive military info to Chinese spies.

Matrix open standard and real-time communication protocol released its second major version, featuring end-to-end encryption for group VoIP, faster loading times, and more. The new Synapse open-source Matrix homeserver reports that unique Matrix IDs on its public network have surpassed 115 million, almost double the 60 million users reported in July 2022. Matrix 2.0 brings a suite of major functionality improvements, including support for large conference calls with full encryption, a new Sliding Sync API for faster syncing and logging in, and the incorporation of OpenID Connect authentication protocol for better security and interoperability. Matrix’s transition to OpenID connect, which is designed to allow developers to verify users across applications while also adding an extra layer of security, reflects its readiness for enterprise applications and adheres to the OAuth 2.0 security protocol. The foundation behind Matrix suggests new users utilize the ElementX app, which incorporates all the latest features of Matrix 2.0; it is used by entities where communication security is critical, such as NATO, the United Nations, and the US Department of Defense among others. Other chat apps supporting the Matrix protocol include Nheko, FluffyChat, Fractal, Quaternion, Spectral, Hydrogen, and NeoChat.

1Password confirmed that it was targeted by hackers after recent cyber attacks on Okta, an identity management service provider, but says that its customers' login information was not compromised. The attack, which was detected on September 29, involved a member of 1Password's IT team receiving an unexpected report containing a list of all 1Password admins. The attack was traced back to a suspicious IP address, with the attacker gaining access to the company’s Okta admin portal. The investigation found no evidence of data exfiltration or access of any systems outside of Okta, with the attackers primarily scouting for intelligence that could allow for a larger, more sophisticated attack. It was found that an attacker had accessed a HTTP Archive (HAR) file uploaded to Okta's customer support portal. While originally it was believed that the file was intercepted through a public Wi-Fi network, it was eventually disclosed that the attackers had compromised Okta’s internal systems to gain access. High-profile customers Cloudflare and BeyondTrust have also mitigated attacks stemming from Okta's security issues, reporting that they detected and addressed threats before Okta could notify them. Okta has reportedly been working with affected customers, providing general recommendations for sanitizing all credentials and cookies/session tokens within a HAR file before sharing.

French professional basketball team LDLC ASVEL (ASVEL) confirmed a data breach after the NoEscape ransomware group alleged an attack on the club. The team was alerted via press about a possible cyberattack after being listed on the ransomware's extortion portal on October 9, 2023. The attackers reportedly stole around 32 GB worth of data, including players’ personal data, identification documents, and financial, tax, and legal documents. Contractual documents, including NDAs and confidential letters, were also reportedly part of the data stolen. NoEscape has threatened to publish this data by October 20, 2023, unless a ransom is paid. ASVEL engaged cybersecurity specialists, who confirmed on October 18, 2023, that the club’s data was indeed breached. The breach did not affect the club’s operations, but they are assessing possible damage to third parties whose data might have been exposed. While the club has concerns about the payment details of patrons who made purchases on their official website, they have found no evidence that such data has been compromised. France's national data protection authority, CNIL, has been informed about the incident, and the club is set to file a formal complaint with law enforcement authorities. NoEscape, believed to be a successor of the defunct Avaddon group, has removed ASVEL from their darknet portal, raising speculations that the club might be negotiating a settlement to prevent the data leak.

VMware has alerted customers to proof-of-concept exploit code for an authentication bypass flaw within vRealize Log Insight, also known as VMware Aria Operations for Logs. The flaw is designated as CVE-2023-34051. The exploit allows unauthenticated attackers to execute code remotely with root permissions given certain conditions. Exploitation success hinges on an attacker compromising a host within the targeted environment and possessing permissions to add an extra interface or a static IP address. Horizon3, the security researchers behind the identification of the bug, released a PoC exploit and a list of indicators of compromise (IOCs). Such resources could be used by network defenders to identify exploitation attempts within their environments. The vulnerability also presents a bypass for an exploitation chain related to critical flaws patched by VMware in January. These flaws could allow attackers to remotely execute code. Horizon3 researchers note that while the vulnerability is simple to exploit, it requires the attacker to have pre-existing network infrastructure to serve malicious payloads. Furthermore, attackers would likely need to have established a foothold somewhere else on the network as this product is unlikely to be exposed to the internet.

Element, a company behind decentralized communications platform Matrix, reported that several customers are demanding clauses in their contracts against the adaptation of the UK government’s Online Safety Bill (OSB). This is due to potential allowances for the "scanning" of securely encrypted messages. The Online Safety Bill, passed by UK Parliament last month, still contains the controversial “spy clause” that theoretically gives the government the ability to ask for End to End (E2E) encrypted messages under certain conditions. Though the UK government reportedly acknowledges the impracticality of scanning encrypted messages, the “spy clause” allows them to "give notice" to E2E communication providers when it deems it "proportionate and necessary". Critics of the bill, like Matthew Hodgeson, Matrix's technical co-founder and Element’s CEO, argued that performing a scan would require bypassing encryption; potentially exposing messages to attackers. Notable users of Element's services include the UN, US Department of Defense, the UK Ministry of Defense, NATO, and others. Some customers are said to have requested assurances against OSB-induced message scanning for their own privacy safeguards. Currently, Element has 115 million users on the decentralised communications platform, a figure that nearly doubled within the past year. The company is also preparing for a significant update to the platform, Matrix 2.0.

A cyberattack on shared service provider TransForm has affected operations at five Ontario hospitals, causing rescheduling and impacting patient care. TransForm, a not-for-profit organization, manages IT, supply chain and account payable for the affected hospitals in Erie St. Clair, Ontario, Canada. Following the cyberattack, TransForm’s IT systems have gone offline. The organization has not yet determined if patients' data was compromised. The patients with future appointments may have to reschedule as the extent of the attack is still being investigated. Those not needing emergency services are advised to seek care with their primary care providers or local clinics. The exact nature of the cyberattack is yet to be determined. Patients and staff are advised to be vigilant against unsolicited communications while investigations continue.

Jareh Sebastian Dalke, a former NSA Information Systems Security Designer, pleaded guilty to attempting to transmit classified defense information to Russia. Dalke worked for the NSA from 6 June to 1 July 2022 and held top-secret clearance, allowing him to access sensitive documents. The ex-NSA employee used an encrypted email account to transmit three classified documents to an individual he believed to be a Russian agent. In reality, the purported agent was an FBI employee. Dalke requested $85,000 for the information he claimed would be valuable to Russia and promised to share more documents in the future. He was arrested moments after the file transfer on 28 September 2022. The Accessed documents included updates on an unspecified cryptographic program, threat assessments on US defense capabilities, and Russia's offensive capabilities. Dalke faces a maximum penalty of life imprisonment with his sentencing scheduled for 26 April 2024.

Modernizing API management involves transitioning from monolithic architectures to agile microservices, allowing for rapid changes and scalability. The use of serverless technologies and containers facilitates this process. The blog advocates for the adoption of cloud-native API management solutions like Gloo Gateway, which come with security, observability, and API controls amongst other enterprise features. Outdated API management systems often lack essential security features, rendering them susceptible to cyber threats like data breaches, unauthorized access and DDoS attacks. The blog suggests the use of strong authentication methods like API keys, JWT, OAuth and OIDC for secure access control, alongside encryption for safe data transfer, and real-time monitoring tools for early threat detection. The integration of Gloo Gateway with OpenTelemetry allows for tracking of API usage and analytics, providing vital insights into API traffic and user behavior. Gloo Gateway further integrates seamlessly with CNCF's Backstage to streamline the sharing, testing, and controlling of API access, ensuring strong security and precise control. Regular security audits, software updates, and employee training in security best practices are also key in maintaining data and service integrity.

Spanish law enforcement officials have arrested 34 members of an online criminal group who were involved in various scams, thereby making around $3.2 million in illegal profits. The criminals committed the scams by pretending to be banks or electricity providers via email, SMS, and phone calls in order to defraud victims. One scam involved unauthorized access to customer databases at financial institutions. The fraudsters would add funds to customer accounts and then contact them to inform them of a supposed erroneous deposit, instructing them to pay back the money by clicking on a bogus link that captured their banking credentials. The operations also seized a database containing cross-referenced information on four million people obtained through infiltrating financial and credit institutions' databases. The crime network leaders used false documentation, employed spoofing techniques to conceal their identities, and invested their illicit profits in cryptocurrency assets. The law enforcement operation was conducted across 16 locations in Spain, confiscating two fake firearms, a katana sword, a baseball bat, €80,000 in cash, four high-end vehicles, and thousands of euros worth of computer and electronic material. This arrest closely follows separate incidents involving the Spanish National Police arresting 55 people of a group called the Black Panthers, and a new money laundering scheme involving China-based scammers using counterfeit instant loan apps and India's Unified Payments Interface to defraud victims.

Over 500,000 records related to vehicle seizures by the Irish National Police (An Garda Síochána) were exposed due to a password-less third-party database run by a Limerick-based contractor. These records, dating back to 2017, include numerous scanned identity documents, insurance investigation inquiries, and registration certificates among other possibly sensitive data. Approximately 150,000 vehicle owners are predicted to have been affected by this exposure according to the security researcher, Jeremiah Fowler, who discovered the breach. A police official comments on obligations of towing companies to protect information supplied by the police, a responsibility that extends to situations where the information is provided for third-party storage. Fowler suggests the database may have been set to public access in error, and no evidence is currently available that suggests a malicious access or exfiltration of data. This revelation is part of a trend in recent developments where numerous UK police forces have reported data leaks due to various reasons.