Daily Brief

Microsoft is planning to phase out the NT LAN Manager (NTLM) in Windows 11 to enhance security through stronger authentication. The company is working on strengthening the Kerberos authentication protocol, which has been used as a default since 2000. Microsoft is introducing two new features to support this change: Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos. NTLM, a suite of security protocols aimed at providing authentication, integrity, and confidentiality to users, has been found to be vulnerable to relay attacks, therefore making it a less secure option. Microsoft is also addressing hard-coded NTLM instances in preparation for the migration to disable NTLM in Windows 11 and encourage the use of Kerberos instead. The changes will be enabled by default and will not require configuration for most scenarios. NTLM will continue to act as a fallback mechanism to maintain compatibility.

Ransomware attacks have intensified, causing severe disruption in standard business operations and data breaches if a ransom is not paid. Among affected are Air Canada, state courts in Northwest Florida, and Simpson Manufacturing. The BianLian group is responsible for the attack on Air Canada, whereas ALPHV claimed the attack on the state courts of Northwest Florida. The attack on Simpson Manufacturing caused the company to shut down its IT systems entirely. However, it remains unconfirmed if it was a ransomware attack. The complete source code for the first version of HelloKitty ransomware has been leaked on a Russian-speaking hacking forum, with claims of developing a more potent version soon. The Spanish airline, Air Europa, experienced a data breach recently, compromising customers' credit card information. Customers have been advised to cancel their cards immediately. The Federal Bureau of Investigation (FBI) has shared AvosLocker ransomware technical details and defense tips, indicating that unpatched WS_FTP servers are the new targets for ransomware attacks. Reports indicate Q3 of 2023 was the most successful quarter ever recorded for ransomware attacks.

Genetic testing provider, 23andMe, has been hit with several class action lawsuits following a data breach that potentially impacted millions of its customers. The breach saw a threat actor leak customer data on cybercrime forums, containing sensitive information such as account IDs, full names, birth dates, DNA profiles, and location details. In response, 23andMe claimed the attackers used credential-stuffing attacks on weakly secured accounts and denied claims of a direct system breach. The company disclosed that the data breach widened due to customers activating an optional feature named 'DNA Relatives,' which connects genetic relatives. 23andMe is currently working with third-party experts and law enforcement authorities to investigate the data breach and plans to inform affected customers individually. The lawsuits criticize 23andMe for its lack of transparency regarding the breach, its inaccurate security measures and for failing to monitor its network for abnormal activities. Plaintiffs are seeking various financial relief, including lifetime credit monitoring and both actual and punitive damages.

Genetic testing service 23andMe faces multiple class-action lawsuits following a significant data breach, potentially impacting millions of customers. The company claims hackers accessed its platform via credential-stuffing attacks on poorly protected accounts. The breach involved the publication of a CSV file on hacker forums featuring data of nearly 1 million Ashkenazi Jews who used 23andMe's services. The disclosed details included users' account IDs, full names, sex, date of birth, DNA profiles, and location details. Despite the original hacker retracting the post and opting to sell the stolen data profiles, other threat actors continued to share the initial data leak across cybercrime communities. The company explained that the breach expanded due to customers activating an optional 'DNA Relatives' feature. 23andMe has promised to individually inform impacted customers and continue investigations with the assistance of law enforcement and third-party experts. The lawsuits, filed in California, criticise 23andMe's lack of adequate network monitoring and proactive security measures, maintaining that the company should have been more alert to cybersecurity threats. The plaintiffs are seeking various financial compensations including restitution, lifetime credit monitoring, and coverage of attorney's fees, among others. The nominal damages are defined at $1,000 and punitive damages at $3,000 per class-action lawsuit member.

Shadow, a French cloud service providing Windows PC gaming among other services, confirmed a data breach due to a social-engineering attack. The theft reportedly exposed customer data. An individual claiming responsibility for the attack is allegedly attempting to sell a database containing information of over 530,000 Shadow customers on a cybercrime forum. Exposed data includes full names, email addresses, birth dates, billing addresses, and credit card expiration dates. However, CEO Eric Sele emphasized that no passwords or sensitive banking data were compromised. Sele provided more details about the attack, stating it began on the Discord platform with the downloading of malware via a game on the Steam platform. From there, the attacker exploited a stolen cookie to access the management interface of one of Shadow's SaaS providers and extracted private customer information. The company has locked down its systems and reinforced security protocols with third-party providers in response to the breach. Sele apologized to customers and asserted Shadow's commitment to transparency.

The first ransomware campaign to exploit a vulnerability in WS_FTP Server, a Progress Software product, was detected this week, according to security firm Sophos X-Ops. The cybercriminals used the code from the LockBit 3.0 ransomware program, implying that they are relatively inexperienced, as the encryption of files failed. The perpetrators, identified as the "Reichsadler Cybercrime Group," demanded a significantly low ransomware payment (0.018 Bitcoin or less than $500), compared to more established cybercriminal operations. The cybercriminals' location is unclear, but the ransom note time was set to Moscow Standard Time. Sophos X-Ops managed to prevent the ransomware's payload download after its intrusion tactic triggered a security rule in the Sophos product. Patches for the WS_FTP vulnerabilities were released on September 27, and the first wave of attacks were spotted on September 30. Security firm Assetnote found about 2,900 hosts running the file transfer software as of October 4, suggesting a sizable potential target base.

Microsoft announced plans to phase out the NTLM (New Technology LAN Manager) authentication protocol in Windows 11 due to security vulnerabilities. NTLM, used to authenticate remote users and provide session security, is exploited by threat actors in attacks such as NTLM relay and pass-the-hash attacks. These attacks can grant the attacker full control over the Windows domain or access to sensitive data through handpicked NTLM hashes. Microsoft has recommended developers to stop using NTLM since 2010, advising Windows admins to either disable NTLM or block NTLM relay attacks using Active Directory Certificate Services (AD CS). The company is developing two new Kerberos features, IAKerb (Initial and Pass Through Authentication Using Kerberos) and Local KDC (Local Key Distribution Center), to expand its usage and address challenges leading to Kerberos fallback to NTLM. While working towards disabling NTLM in Windows 11, Microsoft plans to provide enhanced controls for monitoring and restricting NTLM usage, which administrators can use for compatibility reasons.

Cybercriminals are using a novel code distribution method called 'EtherHiding' that uses Binance's Smart Chain contracts to hide malicious scripts in the blockchain. The hackers initially employed compromised WordPress sites that redirected to Cloudflare Worker hosts for injecting malicious JavaScript into hacked sites, but switched to blockchain systems as these provide a more resilient and evasive distribution channel. The technique, discovered by Guardio Labs researchers, sees threats actors trick users into downloading fake browser updates via hijacked WordPress sites. The attack begins by the hackers targeting vulnerable WordPress sites or compromising admin credentials to inject scripts into web pages. These pull malicious code from the blockchain, which in turn triggers the download of a third-stage payload from the attacker's servers (C2). As the C2 address is derived directly from the blockchain, attackers can change it frequently to evade blocks. Once the victim clicks the update button, they are then led to download a malicious executable from Dropbox or other authentic hosting sites. The blockchain's decentralized nature and its ability to run apps and smart contracts means any code hosted on it cannot be taken down, making such attacks unblockable. If successful, blockchain abuse could become an integral part of payload delivery attack chains in the future. Efforts to mitigate such attacks will need to focus heavily on improving WordPress security.

Microsoft’s Visual Studio integrated development environment (IDE) has been found to have vulnerabilities allowing for a single-click remote code execution (RCE) exploit. The exploit was developed by Zhiniang Peng, principal security researcher and chief architect of security at Sangfor; it targets the default implementation of Visual Studio's "trusted locations" feature. Lowering the bar for a successful attack, this targetted feature is not enabled by default, thereby exposing unaware users to security risk. The issue remains unaddressed by Microsoft, which does not consider this to be a security vulnerability. Microsoft asserts that downloading and opening a project from platforms such as GitHub is inherently insecure. The particular attack, developed by Peng, is deceptive as it involves use of a .suo binary file which is not displayed by default in a project’s file explorer and is hard to read. Despite the clear demonstration of the exploit, Microsoft persisted in its stance that the issue does not constitute a "true" vulnerability and hence won't be patched. Peng further highlighted that another security feature, Mark of the Web (MOTW), isn't adhered to in Visual Studio, and solution (.sln) files can be opened without any warnings, making it easy to bypass protections.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released further information about security vulnerabilities and misconfigurations that ransomware attackers exploit, which will assist critical infrastructure organizations in countering such assaults. CISA's Ransomware Vulnerability Warning Pilot program, launched in January 2021, has identified and shared details on more than 800 susceptible systems with internet-accessible vulnerabilities often exploited by different ransomware operations. Recognising the potential lack of awareness of ransomware threat actors exploiting vulnerabilities within their networks, CISA made this information available to all organizations through the Known Exploited Vulnerabilities (KEV) Catalogue. As a companion resource, CISA has created the Misconfigurations and Weaknesses list, detailing oversights known to be used in ransomware attacks. CISA's efforts are in response to increasing ransomware threats that have targeted critical infrastructure and US government agencies. Measures taken to combat these threats include the launch of the Ransomware Readiness Assessment, introduced in June 2021, and guidance intended to help prevent data breaches resulting from ransomware incidents. CISA has also formed an alliance with the private sector, known as the Joint Cyber Defense Collaborative, aiming to protect US infrastructure from ransomware and other cyber threats. Additionally, the agency has launched StopRansomware.gov, a dedicated site for offering information on mitigating ransomware attacks.

The EU Cyber Resilience Act (CRA) has raised concerns among open source developers due to perceived stringent regulations that may hinder software development. The CRA, approved on July 13, 2023, imposes stringent cybersecurity criteria on all applications and gadgets sold in the EU. It requires software creators, including individual developers, to rectify security flaws and regularly update and validate their products. Even non-EU resident developers distributing software via the internet could be liable for CRA penalties, with the potential for significant fines. Non-profit foundations and private companies developing open source software would also need to comply with CRA regulations. The CRA may see amendments to potentially exclude some open source projects with a "fully decentralized development model". It is feared that the complexity of CRA compliance may be too much for individual developers and small or medium-sized businesses to handle. The Linux Foundation Europe has encouraged concerned developers to act swiftly against this legislation, providing suggestions on available courses of action.

A new version of the RomCom RAT malware, known as PEAPOD, is being used in a cyberattack campaign targeting European Union military personnel and political leaders involved in gender equality initiatives. The malware is typically distributed through highly targeted spear-phishing emails and decoy online advertisements, tricking victims into visiting counterfeit sites hosting trojanized applications. The campaign is reportedly run by a group tracked under the name Void Rabisu, which conducts both financially-motivated and espionage attacks. The group has tended to focus on Ukraine and nations supporting Ukraine in its conflict with Russia. Microsoft had previously implicated Void Rabisu in the exploitation of a remote code execution flaw in Office and Windows HTML. The updated version of the RomCom RAT malware, PEAPOD, interacts with a command-and-control server to execute operations on the targeted system, and includes new defense evasion techniques for more sophisticated attacks. The latest attacks in August 2023 have delivered an updated, slimmed-down version of the malware via a decoy website, which hosts an executable file that appears to contain photos from a Women Political Leaders Summit. The file instead drops 56 decoy photos onto the targeted system and retrieves a DLL file from a remote server, effectively reducing the malware's digital footprint and complicating detection efforts. Trend Micro has speculated that Void Rabisu might be one of the financially motivated criminal groups that have entered cyberespionage activities due to the geopolitical situation caused by the war in Ukraine.

The UK's Financial Conduct Authority (FCA) has fined Equifax over £11 million ($13.6 million) for severe failings in relation to the 2017 data breach, affecting 13.8 million UK citizens. The original fine was much higher (£15,949,200 or $19,428,836) but was reduced due to Equifax's cooperation throughout the investigation and its decision to agree to the penalty early in the proceedings. Equifax's mishandling of the situation, including initially misleading the public about the severity of the breach and failing to promptly notify regulators, was highlighted as preventable by the regulator. FCA emphasizes that financial firms should have robust cybersecurity measures in place to protect personal data and should promptly communicate with regulators in the event of a data breach. Equifax incurred fault due to its Data Processing Agreement with its parent company, Equifax Inc., which outsourced UK consumer data to Equifax Inc's US servers for processing, ultimately resulting in the breach. The breach was caused by an exploited unpatched Apache Struts vulnerability (CVE-2017-5638), which Equifax failed to address due to lackadaisical security practices. The FCA criticized Equifax for inaccurate public statements following the breach and its failure to maintain quality assurance checks for complaints, leading to mishandling. Equifax stated that it has invested over $1.5 billion in a security and technology transformation since the attack and argues that it now boasts one of the industry's most advanced cybersecurity programs.

Researchers from Kaspersky have connected the advanced persistent threat (APT) group, ToddyCat, to a suite of new tools intended for data exfiltration, expanding understanding of their capability and techniques. A follow-up investigation into the group, which was pinpointed last year as behind attacks against high-profile targets in Europe and Asia over a three-year period, unravelled a set of malicious software designed for persistence, file operations, and loading extra payloads at runtime. Kaspersky identified a series of loaders capable of initiating the Ninja Trojan as a second stage, a tool called LoFiSe for locating and gathering files of interest, an uploader for storing stolen data to Dropbox, and Pcexter for transferring archive files to Microsoft OneDrive. ToddyCat also reportedly employs custom scripts for data collection, a passive backdoor that takes commands via UDP packets, Cobalt Strike for post-exploitation phases, and breached domain admin credentials to enable lateral movement to further its spying activities. Check Point, in a related reveal, disclosed that select government and telecom units in Asia have been targeted by an ongoing campaign since 2021, using a broad range of "disposable" malware for avoiding detection and distributing subsequent-stage malware. The said activity is said to utilise infrastructure that overlaps with ToddyCat's.

Ransomware attacks have doubled, with an increasing sophistication and expansion of capabilities. The tactics deployed by ransomware groups have successfully bypassed existing defense strategies. There is a noticeable shift in the ransomware groups' focus to the Healthcare sector, which now accounts for one-fourth of all ransomware attacks, making it one of the top five sectors targeted due to its valuable protected health information (PHI) data. High-income organizations dealing with sensitive data are primary focus of ransomware attacks. Along with Healthcare, Professional Services, IT & ITES, and Construction sectors have all been targeted due to their high net worth and expanded attack surfaces. The US continues to be the most targeted nation by ransomware attacks due to its highly digitized nation status and political significance. The UK, Italy, and Germany follow in the number of attacks received. Despite the advent of newer ransomware groups, LOCKBIT remains a dominant threat with a reported 240 confirmed victims in Q3-2023. Ransomware operators have adopted Rust and GoLang for their operations, making their activities harder to analyze and trace. In response to these developments, organizations are enhancing cybersecurity through measures such as implementing Zero-Trust Architecture and multi-factor authentication, ramping up vulnerability management and implementing thorough Incident Response Planning.