Daily Brief

Apple has quickly responded to zero-day vulnerabilities in iOS and iPadOS, providing fixes for codes CVE-2023-42824 and CVE-2023-5217. The CVE-2023-5217 vulnerability refers to a heap buffer overflow in the VP8 compression format in libvpx, which could lead to arbitrary code execution, and has been fixed by upgrading to libvpx 1.13.1. The CVE-2023-42824 vulnerability allows a local attacker to elevate their privileges and may have been actively exploited in versions of iOS prior to iOS 16.6. The fix was included in the kernel with improved checks. iOS 17.0.3 and iPadOS 17.0.3 include the fixes and are available for iPhone models from the XS onwards, 6th generation iPads and above, and the 5th generation iPad Mini and later models. Recently, Apple has had to release rapid patches for vulnerabilities in its software, including a privilege elevation exploit in the kernel labelled as CVE-2023-41992. It's unclear if CVE-2023-41992 and CVE-2023-42824, both related to kernel privilege elevation, are connected. The CVE-2023-41992 vulnerability was used in the Predator spyware sold by Intellexa to target iPhone users. It was advised that users update their devices immediately to protect against such attacks and also consider enabling Lockdown Mode for extra security.

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have identified the top ten most prevalent cybersecurity misconfigurations in large organization networks. The misconfigurations include default credentials, service permissions, software and applications configurations, improper user/administration privilege separation, inadequate internal network monitoring, and poor patch management. The information was gathered through network security evaluations in entities including the Department of Defense, Federal Civilian Executive Branch, state, local, tribal, and territorial governments, and the private sector. The agencies stress the essential role of software manufacturers in addressing these vulnerabilities by integrating security controls from the initial stages of development and during the entire software development lifecycle. The recommendations for reducing vulnerabilities include utilizing memory-safe coding languages, implementing parameterized queries, mandating multifactor authentication (MFA) for privileged users, and making MFA a default feature. NSA & CISA also recommend "exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework" alongside evaluating the performance of existing security controls inventory against the framework's techniques.

Amazon has announced plans to enforce multi-factor authentication (MFA) for all privileged Amazon Web Services (AWS) accounts by mid-2024 to strengthen protection against account hijacking and data breaches. MFA provides additional security by preventing unauthorized access even if an account's credentials are compromised. Amazon introduced more flexible MFA options in November 2022, allowing users to register up to 8 MFA devices per account. The company also provides free MFA security keys for eligible AWS customers in the U.S. and recommends phishing-resistant technologies like security keys for MFA. The MFA requirement will be expanded to other accounts and use-case scenarios as new features are developed to facilitate MFA adoption at scale. Amazon will notify customers who need to enable MFA about the upcoming change via various channels, including prompts during sign-in.

Lyca Mobile has announced a cyberattack that caused disruptions within its network; it has initiated an investigation to understand if any customer data was compromised. The UK-based mobile telecommunications provider operates in 60 countries; the attack affected its services in all but four of these nations. Customers and retailers reported not being able to access the company's top-up portal; national and international calling services were also reported as affected. Lyca Mobile has sought the help of third-party IT experts to conduct an urgent investigation, notified the relevant data protection authorities, and assured customers that its records are encrypted. However, it did not specify the type of encryption used. Restoration efforts for Lyca Mobile's services are ongoing, with certain operational services still unavailable in some of the affected markets. The company has not yet issued any comments about the attack, nor the reason for removing the initial statement about the incident from its website.

QakBot threat actors, despite an earlier disruption to their infrastructure, have been linked to an ongoing phishing campaign since early August 2023. The campaign uses Ransom Knight (or Cyclops) ransomware and Remcos RAT. Security researchers at Cisco Talos attribute the activity, with moderate confidence, to QakBot affiliates. However, they stated there is no evidence the threat actors have resumed distributing their malware loader following the infrastructure disruption. QakBot, also known as QBot and Pinkslipbot, was originally a Windows-based banking trojan created in 2007. Over time, it evolved capabilities to deliver additional payloads, including ransomware. The newest campaign starts with a malicious LNK file, likely distributed via phishing emails, which leads to an infection and ultimately deploys the Ransom Knight ransomware. Additionally, ZIP archives containing the malicious LNK files incorporate Excel add-in (.XLL) files to disseminate the Remcos RAT, for persistent backdoor access to the endpoints. Evidence, such as certain campaign file names written in Italian, suggests the attackers may be focusing on users in Italy. Researchers anticipate QakBot malware to remain a significant threat, due to the continued activity of its operators who might even rebuild the QakBot infrastructure for a full resumption of their earlier activity.

"Bring Your Own Device" (BYOD) policies at organizations have been linked to a 200% increase in global ransomware attacks, according to Microsoft's latest Digital Defender Report. As per the report, 80-90% of these attacks were traced back to unmanaged personal devices, highlighting the inherent risks of such policies. Opinions on BYOD policies remain divisive, with some recognizing the cost and convenience benefits while others stressing on security risks. Microsoft registered a sharp rise in human-operated ransomware attacks, which are up by over 200% since September 2022. Despite increased attempts, just 2% of attacks led to ransomware deployment against victims, demonstrating the efficacy of strong security measures. Microsoft advises organizations to implement zero trust and least-privilege measures, maintain effective backups, and deploy solutions that autonomously remediate threats. Ransomware attacks are expected to grow in 2024, predominantly due to a rise in ransomware-as-a-service (RaaS) affiliates. The top four RaaS groups – Magniber, LockBit, Hive, and BlackCat – accounted for 65% of all attacks globally last year.

Cisco has released a critical update to address a security flaw in its Emergency Responder systems, which could have allowed remote attackers unauthorized login access with hard-coded credentials. The vulnerability, tracked as CVE-2023-20101 with a CVSS score of 9.8, is linked to static user credentials for the root account, typically used during development. The flaw could have led to attackers logging into the system and executing arbitrary commands as the root user. The issue affects Cisco Emergency Responder Release 12.5(1)SU4; later versions of the product are not impacted. The company discovered the vulnerability through internal security testing and is not aware of any malicious exploitation of the flaw. It has encouraged customers to update their systems to the latest version to guard against potential threats.

The Node.js malware, Lu0Bot, has been examined by a team of analysts who detail its structure and unusual features. While the malware is currently registering low activity levels, it has been built to circumvent detection systems and poses a risk to organizations and individuals. Lu0Bot targets the platform-agnostic runtime environment found in modern web apps. This capability, in combination with the malware's multi-layer obfuscation, makes it a sophisticated threat. Static analysis of a Lu0Bot sample revealed a self-extracting archive containing various files including an encryption key, base64 encrypted bytes, and a driver linked to keylogging functionality. A dynamic malware analysis was carried out in interactive malware sandbox ANY.RUN. The investigation found the malware had the capacity to locate its process execution, copy to startup folders, and maintain domain connections after system restarts. Further debugging of Lu0Bot's JavaScript code uncovered the program's ability to assemble domain parts, gather system info. It generates a hash of this info, creates domain segements and packs necessary elements into a JSON object. Any.RUN service has applied findings from the investigation into identifying Lu0Bot samples and revealing C2 domains following decryption strings. Developers have written YARA, Sigma, and Suricata rules to combat the malware. Analysts warn Lu0Bot could be a significant risk to users if the C2 server begins to respond actively, encouraging users to ensure suspicious files or links are scrutinized fast and conclusively.

A governmental entity in Guyana was targeted in a cyber espionage campaign Operation Jacana, detected in February 2023. The attack was a spear-phishing campaign that used DinodasRAT, a previously undocumented implant written in C++, to breach the government's internal network. With medium confidence, ESET linked the intrusion to a China-nexus threat actor due to the use of PlugX a remote access trojan commonly used by Chinese hackers. The attack started with a phishing email linking to a news report about a Guyanese fugitive in Vietnam, leading to a malicious ZIP file from a compromised Vietnamese government site. DinodasRAT was used to collect sensitive information, manipulate Windows registry keys, and execute commands on the victim's computer. The hackers deployed tools for lateral movement, Korplug and the SoftEther VPN client, indicating a likely link to the China-affiliated group known as Flax Typhoon. The attackers are suspected to have tailored their emails to their victim's geopolitical activities, making their spear-phishing campaign more likely to succeed.

Lorenz ransomware group has inadvertently leaked two years’ worth of contact data from its servers due to a misconfigured Apache2 server. This marks a rare occurrence of a ransomware group leaking contact data inadvertently. The leaked contact data spans from June 3, 2021 to September 17, 2023, almost covering the entire active period of Lorenz group since its inception in February 2021. The data includes names, email addresses, and the subject line from the ransomware group's online contact form, mistakenly leaked due to a server misconfiguration. The leaked data covers a variety of contactors, including reporters, financial services employees, and several individuals with obscured identities using Proton Mail email addresses. Even after learning of the leak, the group failed to address the root issue; its website is still accessible, but users' requests are not being sent to the group. Lorenz ransomware, not among the most prolific, had only posted 16 victims on its leak site in 2023. The group employs double-extortion activities and acts as an Initial Access Broker (IAB) selling network access to other cyber criminals.

Singapore-based cybersecurity firm, Group-IB has detected a new Android banking trojan called GoldDigger, which is targeting over 50 banking, e-wallet, and crypto wallet applications in Vietnam, with potential to expand across the wider Asia Pacific region and Spanish-speaking countries. GoldDigger first emerged in August 2023 but evidence points to it being active since June 2023. The scale of its impact remains unknown. The malware impersonates a Vietnamese government portal and an energy company to request extensive permissions, thereby abusing Android's accessibility services for data extraction, theft of banking credentials, interruption of SMS messages, and controlling user actions. The trojan allows full visibility into user actions, viewing of bank account balances, captures two-factor authentication (2FA) codes, and logs keystrokes, enabling remote device access. GoldDigger is spread through fake websites imitating Google Play Store pages and counterfeit corporate sites in Vietnam, likely propagated to victims via smishing or traditional phishing techniques. The trojan uses a legitimate software, Virbox Protector, increasing its complexity to complicate malware analysis and evade detection, thereby posing a challenge in triggering malicious activities in sandboxes or emulators.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of two security flaws: one in TeamCity Server and another in Microsoft Windows Cryptographic Next Generation (CNG) Key Isolation Service. The flaw in TeamCity Server (CVE-2023-42793) is an authentication bypass vulnerability that permits remote code execution. Evidence collected indicates at least 74 unique IP addresses have targeted this vulnerability. The Microsoft Windows flaw (CVE-2023-28229), while rated as high-severity, has not yet been publicly reported as exploited in-the-wild and Microsoft marked it as "Exploitation Less Likely". The bugs were added to CISA's Known Exploited Vulnerabilities catalog, while five vulnerabilities affecting Owl Labs Meeting Owl were removed due to insufficient evidence of exploitation. A proof-of-concept for the Windows flaw was made available early last month. Microsoft patched this vulnerability as part of its Patch Tuesday updates in April 2023. Federal Civilian Executive Branch (FCEB) agencies have been instructed to apply the patches provided by vendors for the two actively exploited vulnerabilities by October 25, 2023.

North Korea has launched cyber attacks on South Korea's shipbuilding sector, according to South Korea's National Intelligence Service (NIS). The signalled attacks occurred in August and September, with phishing emails sent to maritime industry employees and IT contractors. The suspected objective of these attacks is to strengthen North Korea's naval military power by gaining intelligence that will help in building medium to large ships. This activity has likely been instructed by North Korean leader, Kim Jong-un, who indicated his plans for modernizing the North Korean shipbuilding industry. In light of the attacks, NIS has issued warnings to the affected companies and foreseen continuous attacks on shipbuilders and component manufacturers. Similar attack tactics reportedly led to the successful theft of warship blueprints from South Korean warship builder Daewoo Shipbuilding & Marine Engineering (DSME) in 2017. Meanwhile, South Korean and US authorities are monitoring North Korea for signs of halting nuclear reactor operations at its Yongbyon nuclear complex.

Apple has rolled out security patches for a new zero-day vulnerability (CVE-2023-42824) in iOS and iPadOS reportedly being exploited in the wild. This kernel vulnerability could be used by local attackers to up their privilege levels on the system. Apple says it has addressed the issue with enhanced checks. The identity and exact nature of the attackers exploiting this vulnerability are currently unknown. The update also addresses another weakness (CVE-2023-5217) in the WebRTC component, as described by Google as a heap-based buffer overflow issue. With the update's release, Apple has now addressed 17 zero-days in its software that were under active exploitation since the start of 2021. This patch follows repairs to three vulnerabilities linked to Israeli spyware vendor Cytrox, one of which is similar to the most recent kernel vulnerability allowing privilege escalation. French cybersecurity firm, Sekoia, has found connections between the infrastructures used by Cytrox and another commercial spyware company, Candiru, likely due to both companies using spyware technologies. Users possibly at risk are being advised to activate "Lockdown Mode".

Software company Atlassian has patched an actively exploited zero-day vulnerability (CVE-2023-22515) affecting publicly accessible instances of Confluence Data Center and Server. The flaw, given a critical severity rating, enables remote attackers to create unauthorized administrator accounts and gain access to Confluence servers. It does not affect Confluence versions earlier than 8.0.0 or sites accessed via an atlassian.net domain. Atlassian learned of the issue from a "handful of customers" and has addressed it in certain versions of Confluence Data Center and Server. However, no specific details about the exploitation or the vulnerability's root cause have been disclosed. Customers who cannot apply the updates are advised to limit external network access to the impacted instances, and to block access to the /setup/* endpoints on Confluence instances. The company has suggested Indicators of Compromise (IoCs) to help customers determine if their instances have been potentially breached and provided advice on action to take if a breach is confirmed. It has also encouraged immediate updates to a fixed version or proper mitigations implementation.