Daily Brief

Elastic Security Labs have discovered a new backdoor program, called "BLOODALCHEMY," which is being used in cyber attacks against enterprises and government bodies in the Association of Southeast Asian Nations (ASEAN). The backdoor is part of an intrusion set, REF5961, which is likely connected to a China-aligned group. This group is also suspected of launching a separate espionage-focused attack on the Mongolian government. The BLOODALCHEMY malware targets x86 systems and is suggested to be a work in progress due to the limited number of effective commands observed by researchers. The backdoor’s commands have capabilities such as overwriting the malware toolset, launching the malware binary, gathering host information as well as uninstalling and terminating itself. Its persistence is achieved through different techniques, and it features multiple running modes, string encryption techniques for masking data, and additional obfuscation methods. REF5961 contains three additional newly discovered malware families, termed EAGERBEE, RUDEBIRD, and DOWNTOWN, which have also been linked to earlier attacks. The researchers believe that the adversaries behind the intrusion sets are state-sponsored and involved in espionage. Notably, China's state-sponsored cyber campaigns have traditionally centered largely on espionage.

A fake version of the 'RedAlert – Rocket Alerts' app is being used to install spyware on Android devices in Israel. The app is used for notifying Israelis about any incoming rockets targeting the country. The app has seen a surge in interest due to the recent rocket attacks in South Israel. This has been exploited by unknown hackers who have created an identical-looking malicious version of the app with spyware capabilities. The fake version is distributed via the website "redalerts[.]me," created in October 2023. The Android download link on this website leads to the download of an APK file that contains the spyware. The APK file requests additional permissions from victims, such as access to the user's contacts and SMS information. Once granted, this information is encrypted and uploaded to a hardcoded IP address. The app features built-in anti-debug features to protect it against security researchers. The fake app's website is currently offline, but the threat actors are expected to re-emerge with a new domain. To mitigate the risks, users are advised to check the permissions of the app and ensure they have the latest version installed. This version should have security patches that fix vulnerabilities for potential hijacks.

The CISA, FBI, and MS-ISAC have issued warnings urging network admins to immediately patch a critical privilege escalation flaw in Atlassian Confluence servers named CVE-2023-22515. The flaw impacts Confluence Data Center and Server 8.0.0 and later versions. The non-interactive, low-complexity cyber attacks exploiting this flaw have been tracked back to a Chinese-backed threat group, Storm-0062, also known as DarkShadow or Oro0lxy, since September 14, 2023. To mitigate the risk, Atlassian advised customers to upgrade their Confluence instances to one of the fixed versions. Those who could not upgrade were advised to shut down or isolate affected instances from internet access while also checking for indicators of compromise. While cybersecurity firm Greynoise has found that the exploitation of this flaw has been very limited as of now, CISA, FBI, and MS-ISAC expect this to change due to the release of exploit proofs by pentester Valentin Lobstein and Sophee security engineer Owen Gong, alongside published detailed vulnerability insights by Rapid7 researchers. The three organizations further stressed the importance of patching the Confluence servers promptly, given their historical appeal to malicious entities and noting the urgency, underlined by previous campaigns involving Linux botnet malware, crypto miners, and AvosLocker and Cerber2021 ransomware attacks.

Pro-Russian hacking groups are using a known security vulnerability in the WinRAR archiving utility in a phishing operation aiming to gather credentials from affected systems. The vulnerability affects the WinRAR compression software versions prior to 6.23 and is documented as CVE-2023-38831. The attack leverages malicious archive files that contain a booby-trapped PDF file. When this file is clicked, a Windows Batch script is activated, leading to PowerShell commands opening a reverse shell that provides the hacker remote access to the targeted system. The operation also deploys a PowerShell script to steal data, including login credentials, from the Google Chrome and Microsoft Edge browsers, and exfiltrates the captured information via a legitimate web service webhook[.]site. The bug in WinRAR that the hackers are exploiting allows them to execute arbitrary code when a benign file inside a ZIP archive is attempted to be viewed. The bug has been weaponized as a zero-day since April 2023, particularly targeting traders. Google-owned Mandiant recently mapped out Russian nation state actor APT29's swiftly evolving phishing operations targeting diplomatic bodies. APT29's evolving tactics and tradecraft are likely designed to facilitate larger-scale operations and block forensic analysis. Other Russian activity groups have been targeting Ukraine since the war broke out in early 2023, including Turla, which has been deploying the Capibar malware and Kazuar backdoor to conduct espionage attacks on Ukrainian defensive assets.

The Android banking trojan known as SpyNote is spreading via SMS phishing campaigns, tricking users into installing the app by clicking on an embedded link. The malware requests invasive permissions to access call logs, camera, SMS messages, and external storage and is designed to hide its presence from the Android home screen and the Recents screen. SpyNote grants itself additional permissions to record audio and phone calls, log keystrokes, and capture screenshots of the phone via the MediaProjection API. The trojan includes features known as diehard services that resist attempts to terminate it, registering a receiver to restart automatically whenever it's about to be shut down. Users' attempts to uninstall the app through the Settings menu are thwarted by the malware's ability to close the menu screen. Ultimately, victims may have to resort to a factory reset, losing all data on the device, to remove the malicious app. This warning comes as part of a broader advisory on bogus Android apps that pose as system updates to trick users into granting them permissions and steal SMS and banking data.

There has been a significant increase in SaaS security breaches in the past two years with 55% of organizations experiencing incidents such as data leaks, data breaches, ransomware attacks, and malicious applications. Misconfigured security settings continue to be a major route for breaches, contributing to 35% of security incidents. Organizations recognize manual audits and CASB deployments as partial solutions, and about 80% of them plan to use a SaaS Security Posture Management (SSPM) tool like Adaptive Shield for automated configuration and SaaS security monitoring by September 2024. With the adoption of SSPM, organizations are improving their understanding of SaaS app users, recognizing the importance of identity and access governance in SaaS app security. SaaS-to-SaaS access or third-party application integrations have emerged as a substantial attack vector. Despite enhancing workflow, these app integrations often carry significant risks as they request intrusive permission scopes, ranging from read/write access to the ability to delete entire folders and drives of data. Professional delivery of SaaS security information through video series like "SaaS Security on Tap" hosted by Eliana V is becoming an effective way to educate organizations on the evolving threat vectors and the importance of SaaS security management.

Encrypted messaging app Signal has refuted "viral reports" of an alleged zero-day flaw in its software, stating it found no evidence to support these claims. Despite circulating reports of a zero-day exploit in Signal that could grant complete access to a targeted mobile device, the company remains confident that the claims are invalid. Signal has urged those with legitimate information to report to their official security channels. This controversy arises amidst disclosures that zero-days for infiltrating messaging apps are being sold for a hefty price, making them lucrative for nation-state threat actors. A report from Amnesty International linked spyware attacks against journalists, politicians, and academics in various countries to the Intellexa alliance, a consortium known for developing the Predator malware. A recent report also revealed that commercial surveillance vendors are exploiting the digital advertising ecosystem to globally target and infect mobile devices using ad networks.

Rumors suggesting a zero-day security vulnerability in the application Signal, associated with its 'Generate Link Previews' feature, surfaced online. As alleged, the flaw could potentially lead to a complete device takeover. The instant messaging app Signal, known for its strong encryption techniques, investigated the claims but found no supporting evidence that such vulnerability is real. After the Signal security team examined the allegations, they requested anyone having concrete information about this issue to get in touch immediately. Initially, the news about the flaw spread quickly among the cybersecurity community and online platforms, citing unverified US government (USG) sources. In the absence of solid proof or verified reports, users might prefer to disable their Link Previews feature temporarily as a preventive measure until a formal investigation concludes the allegations are groundless.

The EtherHiding malware campaign has leveraged Binance's Smart Chain (BSC) contracts to host malicious code, marking a new development in cybercriminal tactics. This campaign was discovered by Guardio Labs two months ago and uses compromised WordPress sites to deploy malware such as Amadey, Lumma, and RedLine. The attackers use malicious plugins and public security flaws to breach websites, then inject them with Javascript designed to query the BSC by creating a smart contract tied to an attacker-controlled blockchain address. This process fetches further scripts from a command-and-control server that produce deceptive browser update notices. If a user clicks on the update, they download a malicious executable. Security researchers have flagged the associated blockchain addresses and contracts as part of a phishing scheme, however, due to the decentralized nature of the blockchain, they cannot be taken offline. To protect against such attacks, WordPress users are advised to follow security best practices, update their systems regularly, remove unneeded admin users, and use strong passwords.

The US Securities and Exchange Commission (SEC) is investigating Progress Software after a cyber breach exploited bugs in its MOVEit file transfer software. Progress stated in an SEC 10-Q filing that it had received a subpoena seeking various documents and information relating to the vulnerability. The software firm is also facing 58 class action lawsuits filed by individuals claiming to have been impacted by the data exfiltration from environments of its MOVEit Transfer clients. On top of this, the company has received formal letters from 23 MOVEit customers alleging that the vulnerability has cost them money and some are seeking indemnification. An insurer has also filed a subrogation claim with Progress, seeking recovery for all expenses associated with the MOVEit vulnerability. Domestically and internationally, the firm is cooperating with inquiries from data privacy regulators, state attorneys general, and a federal law enforcement agency who are all investigating the matter. Another exploit in a Progress file transferring application, WS_FTP, was also briefly mentioned in the SEC filing. The firm stated that it had patched this issue.

Streaming platform, Steam is introducing SMS-based user verification to improve security measures against malicious updates and infected game builds. The implementation comes in response to an increasing number of reports regarding compromised Steamworks accounts used to spread malware to players via unauthorized updates. The impacted user base was reported to be in the hundreds. Effective from October 24, 2023, game developers will be required to pass an SMS-based security check prior to updating games on the platform's default release branch. The same SMS procedure will be in place for anyone adding new users to the Steamworks partner group. Despite Valve’s efforts, critics argue the SMS verification process will not fully protect against attacks, as evidenced by an incident where a gaming developer’s credentials were stolen using a malware that infiltrated session tokens. The platform's SMS-based verification is also susceptible to SIM-swap attacks. Critics recommend the implementation of authenticator apps or physical security keys for enhanced security.

The Women Political Leaders (WPL) Summit in Brussels was targeted by 'Void Rabisu' with a lightweight variant of the RomCom backdoor. The campaign used a fake website, which mirrored the WPL website, to trap individuals interested in the summit. According to a report by Trend Micro, the deceptive site linked to a OneDrive folder containing a malware downloader disguised as 'Unpublished Pictures.' The malware variant reportedly utilises a new Transport Layer Security (TLS) enforcement system to make Command and Control (C2) communications more resistant to snooping. Void Rabisu, previously known for opportunistic ransomware attacks, has been utilising a stealthier backdoor and exploiting zero-day vulnerabilities in Microsoft products. This latest attack indicates a shift towards high-level cyberespionage campaigns by Void Rabisu, and Trend Micro has warned that the group may target other large conferences related to special interest groups.

Researchers at the University of South Australia and Charles Sturt University have developed an artificial intelligence (AI) algorithm that can detect and intercept man-in-the-middle (MitM) cyberattacks on unmanned military robots. MitM attacks are sophisticated cyber exploits where data traffic between two parties is intercepted, potentially enabling attackers to intercept or modify transmitted data, or potentially hijack control of robots. Military robot operating systems are particularly susceptible to such attacks due to their highly networked nature, necessitated by their collaborative operation with sensors and controllers communicating via cloud services. The researchers used machine learning techniques to develop an algorithm that can detect these attacks and shut them down within seconds. The algorithm was tested on a replica of a robot used by the U.S. Army and successfully prevented attacks 99% of the time. Advanced versions of this system could extend protection to more complex robotic applications such as unmanned aerial vehicles. The technology works by thoroughly scrutinizing packet data, using a node-based system and a flow-statistic-based system that analyzes metadata from the packet header. The researchers used a convolutional neural network model, which provided high reliability for detection outcomes.

Between July and September, attackers utilized compromised Skype accounts to deliver DarkGate malware via messages containing VBA loader script attachments. The cybercriminals were able to infiltrate the victims' Skype accounts, take control of existing conversation threads, and suitably name the malware files to match the chat context. The exact method of the initial account compromise remains unclear, but Trend Micro conjectures it may be due to leaked credentials on underground forums or a prior compromise of the parent entity. Trend Micro also noticed attempts to deliver the same DarkGate payload through Microsoft Teams in organizations that allow external user messages. The ambitions of the attackers range from complete threat environment penetration to various threats including ransomware and cryptomining, depending on the specific DarkGate variant used. The increased usage of DarkGate malware for initial access into corporate networks since the shutdown of the Qakbot botnet in August underscores the growing influence of this malware-as-a-service operation. While the delivery methods vary, from phishing to malvertising, the surge in DarkGate activity demonstrates the threat actors' determination to adapt their tactics despite disruptions and challenges.

Ubuntu, the popular Linux distribution, has withdrawn its Desktop release 23.10 over hate speech embedded in its Ukrainian translations. The company identified a malicious contributor as the source of the anti-Semitic, homophobic, and xenophobic slurs that were injected using a third-party tool existing outside the Ubuntu Archive. Ubuntu promptly took down the affected images three hours after the release, stating that the issue solely impacts translations shown to users during installation through the Live CD environment in-memory only, without any propagation to the disk. Users upgrading from a previous Ubuntu release are, as a result, not affected. The specific malicious strings were reported to have been appended toward the end of the translations file by a user by the name of "Danilo Negrilo," making them harder to detect. While this incident was restricted to translations, it has raised concerns among users about potential malware attacks, given the dependencies in future Ubuntu releases. Ubuntu has restored the Ukrainian translations to their pre-incident state and is currently conducting a broader audit before making it officially accessible again. For the moment, users can download Ubuntu Desktop 23.10 using the unaffected Legacy installer ISO or upgrade from a previously supported release.