Daily Brief

Google will implement stricter sender guidelines starting February 1, 2024, designed to enhance email security against phishing and malware attacks. The new guidelines will require senders of more than 5,000 emails daily to Gmail users to establish SPF/DKIM and DMARC email authentication for their domains. Besides, the new regulations enforce lower spam thresholds, demand an option for Gmail customers to unsubscribe from commercial messages in a single click, and require handling unsubscription requests in a two-day period. The update by Google is intended to protect users from email spoofing and phishing, with non-compliance potentially leading to email delivery issues due to enforced DMARC quarantine policy. Google indicated its AI-driven systems prevent more than 99.9% of spam, phishing, and malware, equivalent to nearly 15 billion unwanted emails every day. Google further explained that if senders did not meet the stipulated requirements, their emails could be mislabeled as spam or not delivered as expected.

Google's latest security update for Android addresses two active exploits and 52 other vulnerabilities. Two flaws, CVE-2023-4863, a buffer overflow vulnerability in libwebp, and CVE-2023-4211, a use-after-free memory issue in Arm Mali GPU drivers, are currently being actively exploited. CVE-2023-4863 affects many software products, including Chrome, Firefox, iOS, and Microsoft Teams. It was initially erroneously assigned separate CVEs for Apple iOS and Google Chrome, but these were actually in the underlying library. A new CVE for this issue was assigned but subsequently rejected. Many different Android models could be impacted by CVE-2023-4211. Successful exploitation could enable attackers to locally access or manipulate sensitive data. The update utilizes a dual patch system wherein patches for core components are released first, followed by patches for kernels and closed-source components. Upgrades for older versions of Android are recommended due to potential vulnerabilities; Android 10 and older versions are no longer supported.

Qualcomm has released a security update fixing 17 vulnerabilities, including several that are under active exploitation. Out of 17, three have been rated critical, 13 are rated high, and one is rated medium in severity. According to Google's threat analysis groups, four codes (CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063) could be under targeted exploitation. The company has issued patches concerning Adreno GPU and Compute DSP drivers. Original Equipment Manufacturers (OEMs) have been strongly advised to carry out these security updates as quickly as possible. CVE-2022-22071, which is a use-after-free in Automotive OS Platform, was first patched by Qualcomm in its May 2022 updates. Further specific information regarding the remaining vulnerabilities will be made public in 2023. Alongside Qualcomm's security measures, Arm also released patches for a security flaw in the Mali GPU kernel driver that had limited, targeted exploitation.

Researchers have identified critical vulnerabilities, known as 'ShellTorch,' in the open-source TorchServe AI model-serving tool, exposing thousands of internet servers, including those of large corporations. The TorchServe tool, maintained by Meta and Amazon, is utilized extensively in AI model training and development by a range of entities, including key tech firms such as Amazon, OpenAI, Tesla, Azure, Google, and Intel. The ShellTorch vulnerabilities lead to unauthorized server access and remote code execution (RCE) on susceptible instances. The suite comprises three flaws, two of which can allow remote code execution and the other an unauthenticated management interface API misconfiguration. Tens of thousands of IP addresses are potentially exposed to ShellTorch attacks, some of which belong to globally recognized organizations. The researchers suggest an upgrade to TorchServe 0.8.2 to mitigate the vulnerabilities and emphasize the importance of only fetching models from trusted domains. While the upgrade does not fix one of the vulnerabilities (CVE-2023-43654), it does issue a warning to the user about the Server-Side Request Forgery (SSRF) issue. Oligo has released a free tool to assist administrators in identifying if their instances are vulnerable to the identified attacks.

Critical security flaws have been discovered in the TorchServe tool for serving and scaling PyTorch models, which could lead to remote code execution (RCE) on affected systems. The vulnerabilities, coined ShellTorch, were disclosed by Israel-based runtime application security company Oligo and can leave a high number of services and end-users vulnerable to unauthorized access and potential full server takeover. Flaws allow attackers to upload a malicious model from their controlled address, enabling arbitrary code execution without requiring any authentication on any default TorchServe server. The vulnerabilities could be chained with CVE-2022-1471, opening the way for code execution and full takeover of exposed instances. Amazon Web Services (AWS) has issued an advisory urging customers using PyTorch inference Deep Learning Containers (DLC) 1.13.1, 2.0.0, or 2.0.1 in EC2, EKS, or ECS released prior to September 11, 2023, to update to TorchServe version 0.8.2. Through exploiting these vulnerabilities, attackers can view, modify, steal, and delete AI models and sensitive data flowing to and from the target TorchServe server, undermining the credibility of the application.

Qualcomm has disclosed three zero-day vulnerabilities in its GPU and Compute DSP drivers which are currently being exploited. Google’s Threat Analysis Group (TAG) and Project Zero teams reported the potential limited targeted exploitation of the vulnerabilities, CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063. Qualcomm has already issued security updates addressing these issues, and vulnerable OEMs have been notified. The CVE-2022-22071 flaw was disclosed in May 2022 and it's a high-severity locally exploitable flaw that impacts popular chips like the SD855, SD865 5G, and SD888 5G. More information regarding the exploitation of the CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063 vulnerabilities will be provided in Qualcomm's December 2023 bulletin. Qualcomm has also disclosed 13 high-severity and three critical-severity flaws, the latter being remotely exploitable. However, there is no evidence these have been exploited. While consumers await updates, Qualcomm advises Android device owners to limit the number of downloaded applications, sourcing them strictly from trustworthy repositories. Yesterday, Arm released a similar advisory, warning of an actively exploited flaw in a range of its Mali GPU drivers.

Around three dozen counterfeit packages designed to extract sensitive data from developers' systems have been found in the npm package repository. The discovery was made by Fortinet FortiGuard Labs. One set of packages, namely @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, @virtualsearchtable/virtualsearchtable, contains an obfuscated JavaScript file capable of collecting secrets such as Kubernetes configurations, SSH keys, and system metadata. Another four modules discovered result in unauthorised extraction of the source code and configuration files which could hold intellectual property and sensitive credentials. This information is archived and uploaded to an FTP server. Some packages have been seen to use a Discord webhook to extract sensitive data, while others download and execute a potentially harmful executable file from a URL. A unique package identified, @cima/prism-utils, leaves connections vulnerable to adversary-in-the-middle (AitM) attacks by using an install script to disable the TLS certificate validation. The company categorised the identified modules into nine different groups based on code similarities and functions. It recommends end-users to be careful with packages that use suspicious install scripts.

Microsoft has released emergency security patches for vulnerabilities in the open-source libraries used by Edge, Teams, and Skype. The first bug, CVE-2023-4863, is a heap buffer overflow flaw in the WebP code library (libwebp) that could cause crashes and enable arbitrary code execution. The second bug, CVE-2023-5217, is a similar flaw in the VP8 encoding of the libvpx video codec library, which could also lead to app crashes or arbitrary code execution. These vulnerabilities only affect a limited number of Microsoft products; the company has patched Edge, Teams for Desktop, Skype for Desktop, and Webp Image Extensions for CVE-2023-4863, and only Microsoft Edge for CVE-2023-5217. There have been reports of these vulnerabilities being exploited in the wild, including one case where CVE-2023-5217 was used to deploy Cytrox's Predator spyware. While there are automatic updates available for affected Webp Image Extensions users through the Microsoft Store, these will not be installed if automatic updates from the store are disabled. It's worth mentioning that while the exact details on attacks exploiting CVE-2023-4863 are still unknown, both vulnerabilities were reported by reliable sources including Google's Threat Analysis Group and Citizen Lab, which is known for discovering zero-days used in targeted spyware attacks.

Cybercriminals are targeting Microsoft 365 accounts of key executives in US organizations by leveraging open redirects on the job listing site, indeed.com. The threat actor is using the EvilProxy phishing service to collect session cookies, which enables them to bypass multi-factor authentication mechanisms. The phishing campaign is aimed at executives and high-ranking employees from various industries like electronic manufacturing, banking, real estate, insurance, and property management. An open redirect on indeed.com is being used to deceive targets into clicking a seemingly legitimate link which leads them to a phishing site impersonating Microsoft's login page. EvilProxy successfully mimics the official login page, allowing the threat actors to capture authentication cookies once the user logs into their account, therefore gaining full access. Menlo found several artifacts in the attack that point to EvilProxy as the culprit of the campaign. Success rates of phishing campaigns increase when reverse proxy kits are combined with open redirects, shown in the previous EvilProxy campaign in August 2023.

The US's Cybersecurity and Infrastructure Security Agency (CISA) has added a recent zero-day vulnerability in Google Chrome to its Known Exploited Vulnerabilities Catalog. The bug, labelled as CVE-2023-5217, was patched by Google and was assigned a severity rating of 8.8 on the CVSS v3 scale, indicating a significant risk to federal enterprise security. Federal Civilian Executive Branch (FCEB) agencies have been given until October 23 to apply the recommended patches for the vulnerability, which is a heap buffer overflow vulnerability affecting VP8 encoding. CISA indicated that the vulnerability poses a significant risk to the federal enterprise and urged all organizations to implement the recommended fixes in a timely manner. Although Google hasn't released extensive details about the vulnerability, it's known to be exploitable via a specially crafted HTML page and VP8 media stream, potentially leading to crashes or execution of arbitrary code. The vulnerability affects other software beyond Google Chrome, including Microsoft's Chromium-based Edge browser, certain versions of Microsoft Teams and Skype, and 29 open source packages that require libvpx. This is the second similar Chrome vulnerability reported this month, a fact which underscores the widespread risk of these types of vulnerabilities in popular applications. The mitigation deadlines provided by CISA apply only to FCEB agencies, but all organizations are being encouraged to apply the patches as soon as possible.

The article highlights the rising trend of API (Application Programming Interface) breaches, becoming a major concern in the cybersecurity domain due to the increased dependency on APIs. This surge in API breaches is mainly due to inadequate security protocols instituted by developers and organizations with many APIs being left unprotected and susceptible to attacks. The consequences of an API breach are severe for both businesses and their customers. For businesses, they face financial losses due to legal liabilities and reputational damage post a data breach or service disruptions. Customers, on the other hand, risk personal information getting disclosed, leading to identity theft and other forms of fraud. Despite these risks, many organizations rely on their existing infrastructure, such as API gateways and web application firewalls (WAFs), for protection. But relying solely on these technologies leaves gaps in the overall security posture of the organization's APIs. A report titled "API Security Trends 2023" includes survey data from over 600 CIOs, CISOs, CTOs, and security professionals from six industries across the US and UK. The report indicates that 78% of cybersecurity teams have experienced an API-related security incident in the last 12 months. The report also points out that although 72% of respondents have a full inventory of APIs, only 40% have visibility into which return sensitive data. Consequently, 81% consider API security more of a priority now than it was 12 months ago.

Security Configuration Assessments (SCA) are critical to maintaining a secure IT environment and minimizing cyber attack risk. SCAs detect vulnerabilities and misconfigurations that threat actors could exploit by checking IT assets against established benchmarks like the Center for Internet Security (CIS) and standards like NIST, GDPR, and HIPPA. Regular SCAs assist organizations in adhering to regulatory requirements, identifying and correcting exceptions, and improving an organization's reputation by boosting customer and stakeholder trust. SCAs provide valuable insight on current security posture, helping make necessary changes and updates to align systems and configurations with a secure baseline, including adjusting settings, patching vulnerabilities, or disabling unnecessary services. The open-source platform, Wazuh, offers an SCA module, which performs scans to find misconfigurations and recommend remediation actions, helping with effective attack surface management and security posture improvement. Regularly performing SCAs can facilitate faster recovery post-incident by allowing organizations to better comprehend the impact of an incident via well-documented and secure configuration baselines.

Zhu Su, Co-founder of the defunct crypto firm Three Arrows Capital (3AC), was arrested at Singapore’s Changi Airport for failing to comply with investigations into the firm's collapse. The Monetary Authority of Singapore had previously issued a nine-year ban to the 3AC founders for neglecting risk management. The Philippine Health Insurance Corporation (PhilHealth) is back online following a ransomware attack, which Medusa ransomware gang claimed responsibility for. The attackers demanded $100,000 to extend the ransomware's deadline and $300,000 to delete stolen data, but PhilHealth, adhering to the government policy, did not pay. China’s cyberspace regulator is considering relaxing some rules on cross-border data transfers. If approved, companies exporting 'important' or 'personal' data will no longer need a security assessment from the Cyberspace Administration of China, under specific conditions. Taiwanese iPhone assembly factory Pegatron was temporarily shut down due to a fire. The company stated that there was no significant financial or operational impact due to the accident. Taiwan unveiled its first indigenously built submarine in a move to strengthen the Taiwanese navy's "asymmetric warfare." The Singapore-based superapp Grab will close its investment service, GrabInvest, after determining it was not commercially viable. South Korean president, Yoon Suk Yeol warns that the misuse of digital technologies and AI could threaten liberal democracy and announced plans to address this in the nation's forthcoming Digital Bill of Rights.

Arm has issued security patches for a vulnerability in its Mali GPU Kernel Driver, which is currently being actively exploited. The flaw, tracked as CVE-2023-4211, allows a local non-privileged user to exploit improper GPU memory processing operations and access already freed memory. The patch covers Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0. Google's Threat Analysis Group and Project Zero first discovered the flaw. The Android Security Bulletin for October 2023 has also indicated targeted exploitation of CVE-2023-4211. The specifics of the attacks are still unclear, but they may have been weaponized as part of a spyware campaign targeting high-risk individuals. Arm also resolved two other flaws within the Mali GPU Kernel Driver that allow for improper GPU memory processing operations. This is not the first time flaws in Arm's Mali GPU Kernel Driver have been exploited earlier this year, a spyware vendor abused a similar vulnerability to penetrate Samsung devices.

Research report from consultancy firm Certitude reveals potential bypass of existing security controls of Cloudflare's Firewall and Distributed Denial of Service (DDoS) protections. This could allow malicious actors to exploit the implicit trust within the service regardless of tenant's legitimacy. The core issue arises from a feature called Authenticated Origin Pulls that uses shared Cloudflare certificates. In this scheme, an adversary with a Cloudflare account can make malicious use of the platform to bypass protections. The abuse of the feature for allowlisting Cloudflare IP addresses is the second issue, which could be exploited to transmit malicious inputs and target other users on the platform. In response to these findings, Cloudflare has added an explicit warning in their documentation recommending users to set up Authenticated Origin Pulls with a custom certificate for better security. The report also highlights the possibility for attackers to leverage 'dangling' DNS records for hijacking subdomains belonging to organizations across sectors. This could lead to malware distribution, disinformation campaigns, and phishing attacks. The incidents demonstrate an increasing use of sophisticated strategies by adversaries, including dynamically seeded domain generation algorithms (DGA), to complicate analysis and avoid detection. This further extends the lifespan of command-and-control (C2) communication channels. Experts recommend robust security measures, including proactive blocklisting of potential botnets and consistent implementation of bailiwick checks in DNS modes, to thwart these evolving threats.