Daily Brief

Predator spyware now offers a reboot survival feature to clients, confirming its advancement and persistence capabilities for infected Android devices. Produced by the Intellexa Alliance, including firms like Cytrox and Nexa Technologies, Predator targets both Android and iOS systems with high-cost licensing. The U.S. added Cytrox and Intellexa to the Entity List in July 2023 for trafficking in cyber exploits to access information systems. Exploit chains in mobile OS and browsers are used by spyware tools like Predator and Pegasus to infiltrate devices covertly. Security measures are adapting to counter such threats, driving exploit developers to continually seek new vulnerabilities or purchase them from brokers. Intellexa's business model separates itself from direct attack involvement by having clients set up their infrastructure, masked by shipping jargon for deniability. Although exposure of such surveillance tools has impacted the spyware market, companies like Intellexa adapt by acquiring new exploit chains, maintaining their operational capabilities. Cisco Talos emphasizes the need for public technical disclosures to improve malware detection and impose development costs on private-sector offensive actors.

OpenAI applied a mitigation for a data exfiltration flaw in ChatGPT, a popular conversational AI platform. A security researcher, Johann Rehberger, identified that the platform could potentially leak user conversation data to unauthorized external URLs. Despite OpenAI's efforts, the fix is partial, and attackers may still exploit the vulnerability under certain conditions. The safety measures to prevent data leakage are not yet implemented in the iOS mobile app version of ChatGPT, leaving iPhone and iPad users exposed. The flaw involves prompt injection and image markdown rendering, allowing theft of metadata, technical data, and conversation details from victims. The security researcher publicly disclosed the threat after OpenAI did not respond to his reports, demonstrating the issue with a custom AI model, 'The Thief!' OpenAI's client-side checking is not fully transparent, as the service is not open source, leading to unknown variances in the effectiveness of the fix. The vulnerability's remediation on Android is unclear, potentially affecting the significant user base of ChatGPT’s mobile app on the Google Play platform.

Cybersecurity researchers have identified a new variant of the Chameleon Android banking malware with expanded targeting to U.K. and Italy users. The malware utilizes Android's accessibility service for Device Takeover attacks, harvesting data, and conducting overlay attacks. Chameleon is distributed via Zombinder, a dropper-as-a-service that binds malware to legitimate apps and can now bypass Android 'Restricted Settings'. The updated Chameleon Trojan can manipulate biometric authentication by switching the lock screen to a PIN, allowing unauthorized device access. ThreatFabric's report follows Zimperium's findings of 29 malware families, including 10 new ones, targeting 1,800 banking apps in 61 countries. Most targeted financial apps include those of major banks and services such as PhonePe, WeChat, Bank of America, Wells Fargo, Binance, and Barclays. Banking apps remain the primary target for such malware, with FinTech and trading apps increasingly being targeted as well.

The darkweb marketplace BidenCash has released for free 1.9 million stolen credit cards to promote its platform among cybercriminals. BidenCash began operations in early 2022, offering stolen credit and debit card data accrued through phishing or skimming on e-commerce sites. The released card data includes numbers, expiration dates, and CVVs, with most cards expiring between 2025 and 2029, although some expired cards from 2023 were also found. This is the fourth such data dump by BidenCash since October 2022, cumulatively amounting to over 5 million cards, although previous dumps have included duplicates and invalid cards. Valid cards in the dump are at risk of fraudulent transactions and could also facilitate scams targeting bank employees. BidenCash’s reputation for genuine data raises concerns over the authenticity of the pack despite lacking some of the data quality seen in prior releases. To counteract payment data risks, the recommendation is to shop with reputable outlets, utilize digital payments or single-use cards, and secure accounts with two-factor authentication.

The Chameleon Android trojan has evolved, now capable of disabling fingerprint and face unlock features to compel users to enter their PINs, which it then steals. This newest variant can infect devices running Android 13 and later by tricking users into manually enabling Accessibility permissions through an HTML page. Initially impersonating Australian entities, the malware distributes through the Zombinder service as a fake Google Chrome application. Zombinder is designed to attach malware to seemingly legitimate apps, bypassing runtime detection, Google Protect alerts, and antivirus software. Chameleon uses its access to interrupt biometric security features and capture PINs, enabling attackers to unlock devices and perform malicious operations without detection. ThreatFabric, which tracks Chameleon's development, notes added functionality for task scheduling to optimize the trojan's attack effectiveness. Users are advised to download apps only from official sources, ensure Play Protect is enabled, and perform regular device scans to prevent and detect malware infections.

Sonatype reveals that 80% of recent Apache Struts 2 downloads contain a critical remote code execution vulnerability (CVE-2023-50164). The vulnerability lies in the framework's file upload feature, which could allow attackers to unlawfully upload and execute malicious files on a server. Despite the availability of patched versions, developers continue to use vulnerable versions at an alarming rate, risking serious cyber threats. Proof of concept (PoC) exploit code has been released, and governmental cyber advisory services have urged rapid patching. The exploitability of the flaw is limited by certain preconditions, which has possibly led to a low download rate for the fixed version. Despite the low likelihood of general exploitation, the potential exists for targeted, automatable attacks if attackers can identify exploitable endpoints. Organizations' diminished staffing levels during holiday seasons could contribute to delayed security upgrades and heightened vulnerability. Experts urge developers and organizations to maintain vigilance and promptly update their Apache Struts 2 implementations to mitigate risks.

A sophisticated JavaScript malware has targeted over 40 financial institutions, compromising over 50,000 online banking sessions globally. IBM Security Trusteer uncovered the campaign, which leverages web injections to steal banking credentials, in March 2023. The malware manipulates bank login pages using scripts from a threat actor-controlled server, designed for pages with a common structure across multiple banks. It is speculated that the initial delivery of the malware could be through phishing or malvertising, followed by harvesting credentials and one-time passwords. The malware's dynamic behavior includes continuously adjusting to the bank's webpage and command-and-control server instructions, even staging fake error messages to delay victim login attempts. Indicators of compromise suggest a link to DanaBot, a known malware family responsible for providing initial access for ransomware attacks. Separate investigations by Sophos and Group-IB outlined related cyber fraud activities, ranging from investment schemes to phishing websites impersonating postal and delivery services, indicative of an organized crime ring’s involvement.

Mozilla has revised its position and plans to implement Trusted Types in Firefox to combat DOM-based XSS (cross-site scripting) attacks. Trusted Types, aimed at preventing XSS vulnerabilities, have shown effectiveness on websites using Chrome and Edge since its introduction. DOM-XSS, once a top web security concern, has seen reduced occurrence in the Chromium ecosystem due to Trusted Types. Adoption of Trusted Types has led to a significant reduction of XSS issues on Google properties, falling from 30% of VRP rewards in 2018 to 4.1% in 2023. Despite Mozilla's positive stance, Firefox's integration of Trusted Types is pending due to some unresolved technical issues. Other major tech companies, such as Meta, have also supported Trusted Types, suggesting a push for broader browser and website adoption. Bruce Perens, an Open Source movement pioneer, advocated for Trusted Types, noting they help identify potential XSS vulnerabilities during web app development. Effective use of Trusted Types requires proper implementation by developers, emphasizing the importance of competent programming to safeguard against XSS.

The average cost of a data breach in 2023 reached an all-time high of $4.45 million, with healthcare experiencing the costliest incidents. Healthcare breaches cost almost double the next industry due to the valuable PHI data, operational focus over security, and stringent regulations. The United States, the Middle East, and Canada had the highest breach costs, reflecting the tendency of attackers to target wealthier regions. While 51% of organizations said they would increase security investment post-breach, most planned to allocate funds towards incident response and employee training. Deploying AI and automation in security saved organizations an average of $1.76 million per breach and reduced response time by 108 days. Data breaches involving multiple types of environments like hybrid clouds took longer to contain and cost an additional $750,000 on average. Internal breach detection by security teams and involvement of law enforcement authorities led to faster containment and cost reduction. Recommendations include building security into all software and hardware development stages, protecting data across environments, utilizing AI and automation, and having a strong incident response practice.

German police, with international partners, have disrupted the dark web platform 'Kingdom Market,' used for narcotic sales and malware distribution. 'Kingdom Market' was active since at least March 2021, offering illegal drugs, malware, criminal services, and forged documents, accessible via TOR and I2P. The platform had a significant scale, with 42,000 listed products and several hundred sellers, including 3,600 drug listings from Germany. Transactions on the site were conducted using cryptocurrencies such as Bitcoin and Litecoin, with the operators earning a commission. German authorities have initiated an investigation into the platform's seized servers, and legal actions are underway. An individual allegedly associated with 'Kingdom Market,' identified as Slovakian national Alan Bill, has been charged in the U.S. with identity theft and money laundering. The takedown of 'Kingdom Market' follows recent successful actions against other cybercrime operations, including the disruption of the BlackCat ransomware group's activities.

The Chameleon Android banking trojan's new variant disables fingerprint and facial recognition, coercing users to input PINs. The malware employs HTML tricks and disability of biometrics to gain control and capture device PINs, allowing unauthorized access. Initially imitating Australian entities, Chameleon now spreads via Zombinder, binding malware to legitimate apps undetected by antivirus software. A new attack vector prompts users to override Android 13's "Restricted setting" for Accessibility service utilization, a common malware exploit. Chameleon has enhanced its capabilities, such as scheduled tasks, to optimize periods of activity for malicious injections or data collection. ThreatFabric experts advise against downloading APKs from non-official sources and recommend maintaining Play Protect enabled for regular malware checks.

Hackers are exploiting a known Microsoft Office vulnerability (CVE-2017-11882) to disseminate Agent Tesla malware through phishing campaigns. The malware spreads via deceptive Excel attachments in emails disguised as invoices, prompting the execution of malicious code without further user interaction. Zscaler ThreatLabz and Fortinet FortiGuard Labs have reported on the phishing campaign, demonstrating the attackers' method of using a Visual Basic Script to download additional malicious files. The malware uses a steganography technique to hide a Base64-encoded DLL within a JPG image, which is then injected into a legitimate Windows process (RegAsm.exe) to avoid detection. Agent Tesla functions as a sophisticated keylogger and remote access trojan (RAT), designed to harvest and exfiltrate sensitive information from infected systems. This incident highlights ongoing security challenges as threat actors continue to leverage older vulnerabilities, underscoring the need for enterprises to adopt advanced security measures such as Zero Trust frameworks. The attack methodology aligns with a broader trend of cybercriminals repurposing old security flaws for new attacks, as observed in recent activities by the 8220 Gang and an increase in DarkGate malware campaigns.

NASA's Office of Inspector General (OIG) has found that while NASA has a comprehensive privacy program, there is room for improvement in protecting personal information. The audit revealed NASA is yet to fully implement Data Loss Prevention (DLP) in Microsoft 365, which is currently being rolled out. Between October 2021 and March 2023, users self-reported 118 data loss incidents, but the reports lacked consistency in identifying affected accounts and root causes. NASA's breach response plan is unclear due to conflicting instructions across several documents, resulting in uncertainty about when to form a Breach Response Team (BRT). Some BRT members are missing required annual training, including participation in breach response simulations. There's a lack of mandatory privacy role-based training for individuals assigned security and privacy roles. Inconsistencies in privacy reporting could lead to incomplete compliance with laws and policies, risking failure to notify the public about data collection and storage. NASA management has agreed to implement recommendations from the OIG report but will revisit the requirement for specific privacy and security role-based training, as the current plan to address this has been deemed not effective.

Google has issued updates for Chrome to patch a high-severity zero-day flaw, CVE-2023-7024, exploited in the wild. The vulnerability is a heap-based buffer overflow in the WebRTC framework that could lead to crashes or arbitrary code execution. Discovered by Google's Threat Analysis Group, details about the flaw are withheld to prevent further exploitation. This marks the eighth Chrome zero-day addressed in 2023, with overall disclosed vulnerabilities reaching 26,447 this year. The most prevalent vulnerability types in 2023 include remote code execution, security feature bypass, and buffer manipulation. Chrome users are urged to update to version 120.0.6099.129/130 for Windows or 120.0.6099.129 for macOS and Linux. Users of other Chromium-based browsers, such as Microsoft Edge and Brave, should apply updates as they are released.

IBM Security identified a JavaScript code injected into online banking sessions that stole login credentials, affecting 50,000 users at over 40 banks globally. The malware, believed to be related to DanaBot, enters via victims' PCs, often through spam emails, and becomes active when users access their bank's website. The script is sophisticated, with the ability to intercept multi-factor authentication tokens and communicate with a command-and-control server for specific actions. Attackers can manipulate user interactions by prompting for additional credentials such as phone numbers or two-factor tokens, and inject fake error messages or overlays to hinder user access. Threat actors used domain names purchased in December 2022 for the web injection campaign, which continues to surreptitiously harvest banking credentials. IBM emphasizes the importance of robust cybersecurity practices for banking customers, including strong, unique passwords and caution when downloading software. Additional malware dubbed JaskaGO also poses a threat to Windows and macOS by stealing data and targeting cryptocurrency wallets, with AT&T Alien Labs providing indicators of compromise.