Daily Brief

Thousands of Cisco IOS XE devices have been exploited and infected with malicious implants arising from a critical zero-day vulnerability (CVE-2023-20198), according to threat intelligence firm VulnCheck. The vulnerability has greatly impacted Cisco IOS XE routers and switches with the Web User Interface (Web UI) (with both the HTTP and HTTPS Server features activated). The successful exploitation could allow attackers to monitor network traffic, pivot into secure networks, and perform various man-in-the-middle attacks, according to VulnCheck. While no patch is available yet, the interim protection measures recommend disabling the web interface and removing all management interfaces from internet access. Cisco disclosed the vulnerability saying it could allow unauthenticated attackers to gain full administrative controls and dictate complete control over affected Cisco routers and switches remotely. Evidence of these attacks first surfaced around September 18, with the creation of locally named user accounts "cisco_tac_admin" and "cisco_support", which hint towards potential signs of malicious activity. Cisco had warned customers about another zero-day vulnerability (CVE-2023-20109) in its IOS and IOS XE software in September which was being targeted by attackers.

US organizations CISA, FBI, and MS-ISAC have urged network administrators to immediately patch a critical vulnerability in Atlassian Confluence Data Center and Server due to ongoing nation-state exploitation attempts. The advisory comes in response to the disclosure of CVE-2023-22515, which has a CVSS score of 10, the highest risk rating. Successful exploitation of this zero-day vulnerability, not limited to account creation, could allow cybercriminals to create new admin accounts and manipulate configuration files. The authorities also emphasized the need to proactively search for intrusions or malicious activity networks, as updating alone won't necessarily remove potential threats. On discovering an instance of compromise, the administrators are advised to assume full administrative access by threat actors, thus requiring comprehensive action including eradicating unauthorized admin accounts and fixing damages. In cases where immediate patch application is impossible, the authorities recommend limited mitigation actions as outlined by Atlassian. Microsoft confirmed that nation-state threat actor Storm-0062, reportedly a Chinese state-backed group, has been actively attempting to exploit this vulnerability since September 2023.

The article announces a webinar called "Locking Down Financial and Accounting Data – Best Data Security Strategies." This webinar will be conducted jointly with the experts from Win Zip. The webinar will focus on digital threats to financial data, which is a prime target for cybercriminals. The authors point out that security breaches can lead to draining company funds, exploiting clients, and jeopardizing customers' data. The threats can arise from both malicious actors with harmful intentions and unintentional errors such as sending confidential emails to wrong recipients. The tactics used to compromise data, such as ransomware attacks and inadvertent leaks in cloud storage, are diverse and constantly evolving. The key to navigating this terrain is knowledge, and the aim of the course is to arm attendees with the right tools and insights.

A significant severity flaw impacting industrial cellular routers from Milesight is suspected to be exploited in real-world attacks according to findings from VulnCheck. This vulnerability can expose log and credential information to remote, unauthorized attackers. Affecting UR5X, UR32L, UR32, UR35, and UR41 routers prior to version 35.3.0.7, this flaw could allow unsanctioned control over VPN servers. Further, it can be used to drop firewall protections rendering the network defenceless. An additional layer of threat is exposed since some routers permit sending and receiving SMS messages – attackers could exploit this for fraudulent activities causing financial damages. There is evidence to suggest small scale, real-world exploitation of this flaw with successful unauthorized access attempts on systems reported in France, Lithuania, and Norway. Attackers were able to extract login credentials from httpd.log, indicating the weaponization of the flaw. Although 95% of approximately 5,500 internet-exposed Milesight routers are not susceptible to this flaw due to non-vulnerable firmware versions, it is advisable to assume a system-wide compromise and to refresh all credentials and limit the internet reachability of interfaces. Concurrently, multiple security flaws have been identified in South River Technologies’ Titan MFT and Titan SFTP servers, potentially granting remote super-user access to the affected hosts. Despite the high risk involved, large scale exploitation is deemed unlikely due to the requirements of non-default configurations and post-authentication environment for the vulnerabilities.

The rise of malicious Generative AI, such as FraudGPT and WormGPT, is posing new challenges to the cybersecurity landscape. FraudGPT uses machine learning algorithms to generate deceptive content, making it a potent tool for cyberattacks. It can craft tailored spear-phishing emails, creat counterfeit invoices, fabricated news articles, and more. WormGPT is another rogue AI model with the capacity to respond to queries about hacking and other illicit activities. These AI tools are being marketed as "starter kits for cyber attackers," offering advanced tools to aspirants for a subscription fee. But they do not offer significantly more than what a cyber criminal could manage using existing generative AI tools. The fear is that these AI systems can be used to produce highly convincing content for phishing emails, fraudulent schemes, and even generating malware. These tools do not represent a significant shift in the cybersecurity domain yet due to their limitations, lack of sophistication, and the fact that advanced AI models are not used in these tools. As these tools evolve, businesses are advised to prepare for highly targeted and personalized attacks. Detailed information regarding the tactics used by malicious actors leveraging these technologies can help in the development of effective countermeasures.

Researchers from the National Centre for Atmospheric Science and the University of Manchester have found that sustainable aviation fuels (SAFs), derived from non-fossil sources, could reduce emissions by up to 80%. SAFs made from wastes and other unconventional sources could replace traditional jet fuel without altering the aircraft's existing hardware. The study indicates potential improvement in air quality near airports due to a decrease in ultrafine black carbon emissions from commercial jets idling at low thrust before takeoff. US aviation regulators are aiming at a net-zero aviation system by 2050, requiring a significant increase in SAF production, though the UK might need to dedicate half of its farmland or double its renewable electricity supply to meet the same goal. Emerging technologies such as hydrogen-fueled and electric aircraft could propel the aviation industry towards sustainability, although these developments are currently in the early stages. Obstacles for these technologies range from generation and supply concerns to the required infrastructure, and there is a lack of data on whether the aviation sector is on course for meeting these targets.

The Computer Emergency Response Team of Ukraine (CERT-UA) has reported interference with at least 11 telecommunications service providers in the country between May and September 2023. The cyberattacks led to service interruptions for customers, with threat actors initiating them with an initial reconnaissance phase to identify potential network entry points at the telecom companies. The threat actors are employing specialized programs called POEMGATE and POSEIDON for credential theft and remote control of infected hosts, and using a utility named WHITECAT to erase the forensic trail. Unauthorized access to the telecom providers' networks is achieved via VPN accounts lacking multi-factor authentication protection and then attempts are made to disable network and server equipment. CERT-UA stated that legitimate compromised email addresses are subsequently used to deliver SmokeLoader malware to PCs, with the intent to steal authentication data or alter financial documents in remote banking systems for unauthorized payments. CERT-UA noted that the reconnaissance and exploitation activities are being carried out from previously compromised servers located within the Ukrainian segment of the internet, using Dante, SOCKS5, and other proxy servers to route traffic. This report follows an earlier statement from CERT-UA about four observed phishing waves conducted by a hacking group it tracks as UAC-0006, also utilizing SmokeLoader malware.

Cisco has alerted about a critical, unpatched zero-day vulnerability (CVE-2023-20198) in the IOS XE software, actively exploited by an unidentified attacker. The flaw is rooted in the web user interface feature and is rated 10.0 in severity on the CVSS scoring system. It affects enterprise networking gear that have the Web UI feature enabled and exposed to the internet or untrusted networks. The flaw allows a remote, unauthenticated attacker to create an account with privileged access and take control of the affected system. It affects both physical and virtual devices with the HTTP or HTTPS server feature enabled. Malicious activity was first detected on a customer device in September 2023 when a local user account was created from a suspicious IP address. More unauthorized activity through a different IP address was noted in October 2023, followed by the deployment of a Lua-based implant. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory and added the flaw to its Known Exploited Vulnerabilities catalog. As a mitigation measure, Cisco recommends disabling the HTTP server feature on internet-facing systems. While the implanted backdoor is not persistent, the rogue privileged accounts created by the attacker continue to remain active. The threat actor's identity remains undetermined at this stage.

Imminent changes to cyber security regulations in the US and Europe are requiring that both public and private sector organisations ensure compliance. The new Securities Exchange Commission mandate will be enforced from 18 December, making it essential for organisations to report any cyber incidents and present a Cyber Report detailing their cyber health. The US Department of Defense (DoD) 8140.3 directive, which will be enforced by February 2024, specifies that anyone working within the DoD validate their cyber skill set. The European Union NIS II Directive requires Critical Sector Organizations operating in member states to take appropriate security measures and notify relevant national authorities of serious incidents by 17 October 2024. SANS, a security training company, has put together a Cyber Compliance Countdown event to assist organisations in navigating these new regulations. The event will offer advice on incident response plans, training ahead of the new regulations, and analysing new cyber security guidelines.

Discord has become a hub for malicious activity, including distributing malware, data exfiltration, and theft of authentication tokens. A new report by Trellix reveals that Advanced Persistent Threat (APT) hackers have also joined the platform to target critical infrastructure. Malicious actors abuse Discord in three ways: distributing malware through its content delivery network (CDN), modifying the Discord client to steal passwords, and using Discord webhooks to extract data from victims' systems. Over 10,000 malware samples have reportedly used Discord's CDN for delivering second-stage payloads into systems, mainly malware loaders and general loader scripts. Data theft using Discord webhooks has also been noted in 17 malware families. Discord’s features to evade antivirus detection and network monitoring tools, along with its ease of setup and use, have appealed to cybercriminals, making it difficult for the platform to deter misuse. The report also notes that sophisticated threat groups have started using Discord, blending their activities amongst others, making it nearly impossible to track and attribute their actions. One unidentified group has targeted crucial infrastructure in Ukraine through spear-phishing techniques. The challenges posed by the platform's scale, encrypted data exchange, and the legitimate function of abused features make it difficult for Discord to discern malicious activity. Banning suspect accounts doesn't appear to deter the creation of new ones, suggesting the problem may worsen in the future.

The IT systems of state courts across Kansas remain offline following a "security incident." Impacted systems include the eFiling system, electronic payments system, and case management systems. The state's Supreme Court has issued an administrative order confirming that clerk offices in appellate courts and most district courts (except Johnson County) are offline. Despite these disruptions, the courts remain operational with submissions currently being made in paper format or via fax, as electronic filing and payments cannot be accepted. The Kansas Supreme Court has indicated this measure extends filing deadlines under the applicable rules and statutes. The Office of Judicial Administration is working with experts to investigate the security breach and provide a timeline for system recovery soon. This incident follows another recent alleged cyberattack on First Judicial Circuit state courts in Northwest Florida by the ALPHV (BlackCat) ransomware gang. Florida court authorities confirmed operations remain uninterrupted but are yet to verify ALPHV's claims.

Hackers are currently exploiting a critical vulnerability in WordPress' Royal Elementor Addons and Templates, a widely-used website-building kit. The flaw, labelled as CVE-2023-5360 and rated 9.8 "Critical" under the CVSS v3.1, allows unauthenticated attackers to conduct arbitrary file uploads on vulnerable websites. The hackers are also able to manipulate the allowed file upload list, achieving remote code execution and potentially gaining complete control over a website. WordPress security firms Wordfence and WPScan have recorded thousands of attacks targeting Royal Elementor since August 30, 2023. Most attacks originate from two IP addresses, suggesting only a few threat actors are aware of the exploit. The vendor of the add-on was informed about the flaw on October 3, 2023, and subsequently released an update (version 1.3.79) on October 6, 2023, to patch the vulnerability. Vulnerable users are recommended to update to the latest version as soon as possible, and to perform a website cleanup as the patch does not automatically remove or delete malicious files.

The Ukrainian Computer Emergency Response Team (CERT-UA) reports that Sandworm, a state-sponsored Russian hacking group, has compromised 11 Ukrainian telecom service providers between May and September 2023. The hackers intervened with the communication systems of the targeted telcos, causing service disruptions and possible data breaches. The group has seen increased activity against Ukraine throughout 2023 with techniques involving phishing schemes, Android malware, and data wipers. Sandworm initiates its attacks by performing reconnaissance on a telecom company's networks, looking for insecure ports and unprotected RDP or SSH interfaces. The hackers then utilize several tools to identify possible vulnerabilities in web services that can be exploited to obtain access. The hacking group also deploys proxy servers to make their intrusion less conspicuous. They have also been found using two backdoors namely 'Poemgate' and 'Poseidon,' which help maintain persistent access to compromised systems and facilitate deeper network infiltration. As a part of their final attack stages, the hackers deploy scripts that trigger service disruptions and delete backups to complicate recovery processes. To safeguard their systems, CERT-UA recommends all Ukrainian service providers to follow their guide on thwarting cyber intrusions.

A security incident has forced state courts across Kansas to resort to paper filings, potentially for several weeks, according to a warning from a state judge. The specifics of the incident are currently unclear. The Kansas Supreme Court stated that it was experiencing "network issues", causing it to turn off its eFiling system temporarily to allow for security checks. Various state eFiling systems, including the Protection Order Portal, online marriage applications, and payment processing systems, among others, are all currently affected. The Municipal Court, Probation, and Prosecution divisions in Topeka have also been closed to the public on account of "possible security concerns" with one of the court's systems. With reference to a statement from the Kansas Supreme Court and the city of Topeka, it is currently unknown whether these security concerns are connected to the Kansas Supreme Court's network security issue. One county, Johnson County, is still operating normally as per the Supreme Court's order. Johnson County is the only county not yet scheduled to receive the state's new centralized eCourt system. This incident may involve ransomware attacks, considering the length of the cybersecurity response and the inaccessibility of systems or data. However, no official confirmation has been provided yet.

Cisco's IOS XE Software has a severe zero-day vulnerability (CVE-2023-20198) that is actively exploited in attacks, allowing culprits to gain full control of affected routers. The vulnerability affects devices running the Web User Interface (Web UI) feature with HTTP or HTTPS Server feature enabled. The vulnerability, currently unpatched, enables an attacker to create an account on the compromised device, granting full access and facilitating subsequent unauthorized activity. Cisco's Technical Assistance Center first noticed the attacks on September 28 due to unexpected behaviour on a customer device and found that the illicit activity started on September 18. The attackers used authorized user access from suspicious IP addresses to create local accounts and deploy a malicious implant allowing them to execute arbitrary commands on the system or IOS levels. As a mitigation measure, Cisco strongly advises admins to deactivate the HTTP server feature on internet-facing systems, thereby blocking incoming attacks. To detect the implant on compromised devices, organizations are encouraged to look for unexplained or newly created user accounts as potential indicators of associated malicious activity. Last month, Cisco had warned customers to patch another zero-day vulnerability in their IOS and IOS XE software, indicating an increased focus on these platforms by perpetrators.