Daily Brief

Organizations heavily depend on digital assets in today's digital age The real battleground in cybersecurity has shifted to user identities Many organizations are unaware of security gaps and vulnerabilities Silverfort commissioned a comprehensive study on the Identity Attack Surface The webinar aims to provide insights and actionable steps to improve cybersecurity The digital landscape is evolving with new threats, and organizations need to stay ahead Attendees will discover ways to transform their perception of cybersecurity Registration is open for the webinar to fortify organizations' cybersecurity.

The average cost of a data breach rose to $4.45 million, a 15% increase over the last three years. Healthcare organizations suffered the highest average loss of $10.93 million, followed by the finance industry at $5.9 million. Organizations with fewer than 500 employees experienced higher average data breach costs in 2023 ($3.31 million) compared to previous years. Phishing and stolen credentials are still the most common initial attack vectors, with phishing costing an average of $4.76 million and stolen credentials costing an average of $4.62 million. Integrating a third-party tool into the Active Directory can provide added control and visibility over compromised passwords. Rapid incident response is crucial to mitigating the financial impact of a data breach, as companies that detected compromises within 200 days lost $3.93 million compared to those that identified the issue later. Understanding and securing the cloud is essential, as 82% of breached data was stored in the cloud. Misconfigured cloud configurations and supply chain attacks were prevalent in the surveyed organizations. External Attack Surface Management (EASM) and risk-based vulnerability management can significantly reduce the time to identify and contain a data breach and lower breach costs.

Andariel, a North Korean threat actor, has been using various malicious tools in cyber assaults against corporations and organizations in South Korea The attacks involve malware strains developed in the Go language Andariel is a sub-cluster of the Lazarus Group, active since 2008 Financial institutions, defense contractors, government agencies, universities, cybersecurity vendors, and energy companies are targeted Initial infection vectors include spear-phishing, watering holes, and supply chain attacks Malware families employed by Andariel include Gh0st RAT, DTrack, YamaBot, NukeSped, and more Andariel recently exploited security flaws in Zoho ManageEngine ServiceDesk Plus using QuiteRAT The group has been carrying out attacks for financial gains and national security-related information

A reworked variant of the Chaes malware is targeting the banking and logistics industries The malware has been rewritten in Python, making it harder to detect by traditional defense systems Chaes primarily targets e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information The threat actors behind the malware, known as Lucifer, have breached over 800 WordPress websites to deliver Chaes to users The latest version, called Chae$ 4, includes significant transformations and enhancements, such as expanded credential theft capabilities and clipper functionalities The malware is delivered through compromised websites, with the victims being prompted to download an installer for Java Runtime or an antivirus solution ChaesCore, the primary orchestrator module, establishes a communication channel with the command-and-control server to fetch additional modules The malware now targets cryptocurrency transfers and instant payments via Brazil's PIX platform, highlighting the threat actors' financial motivations.

Hackers are targeting IT service desk agents in social engineering attacks Their goal is to trick agents into resetting multi-factor authentication (MFA) for high-privileged users The attackers aim to hijack Okta Super Administrator accounts to abuse identity federation features for impersonation They were able to compromise Super Admin accounts through authentication flow tampering or having passwords for privileged accounts Once they gain admin access, they elevate privileges for other accounts, reset enrolled authenticators, and remove 2FA protection Hackers use a second Identity Provider to impersonate users and access applications through Single-Sign-On authentication Okta recommends security measures to protect admin accounts from external actors Indicators of compromise and IP addresses associated with the attacks have been provided by Okta for additional protection measures.

Hackers are exploiting vulnerabilities in the MinIO storage system to breach object storage systems and access private information Two vulnerabilities, CVE-2023-28432 and CVE-2023-28434, are being used by attackers to execute arbitrary code and potentially take over servers Attackers are using a modified version of MinIO called Evil MinIO, which replaces the legitimate software with modified code that adds a backdoor The attack begins with social engineering to convince a DevOps engineer to downgrade to a vulnerable version of MinIO Hackers exploit one vulnerability to remotely access server environment variables and administrative credentials The malicious update replaces legitimate code with a tampered version that allows for remote command execution The backdoor in Evil MinIO is not detected by antivirus engines on Virus Total After breaching the storage system, attackers establish a communication channel with a command and control server and download additional payloads for post-compromise activity 38% of MinIO instances exposed on the public internet are confirmed to run a non-vulnerable version, but administrators should still apply the security update to protect against attacks.

The German Federal Financial Supervisory Authority (BaFin) has been experiencing an ongoing distributed denial-of-service (DDoS) attack on its website since Friday BaFin is responsible for regulating banks, financial, and insurance service providers in Germany The agency has taken necessary security precautions and defensive measures, including taking its public website offline, but assures that its crucial systems are unaffected The website hosts consumer and regulation information, important documents, a database of registered companies, job vacancies, and a platform for whistleblowers BaFin's IT team is working to restore public access to the website, but it is unclear when this will be accomplished

Swedish insurer Trygg-Hansa fined $3 million for exposing sensitive data of hundreds of thousands of customers Investigation initiated after a customer alerted authorities about the accessibility of backend database Backend database could be accessed without authentication, allowing browsing of private documents of other individuals Approximately 650,000 customers affected by the data exposure Data was exposed for more than two years, increasing the risk of exploitation by cybercriminals At least 202 cases of personal information exposure confirmed, but more cases may exist Insurer's failure to address the issue despite receiving reports indicates a severe shortfall in data security and risk mitigation measures Swedish Authority for Privacy Protection imposed an administrative penalty of $3 million on the insurer.

Nonprofit organization Freecycle confirms a massive data breach affecting over 7 million users. Stolen data, including usernames, User IDs, email addresses, and hashed passwords, was put up for sale on a hacking forum. Threat actor claims to have full access to member information and forum posts, including the credentials of Freecycle's founder and executive director. Users are advised to change their passwords and be aware of potential delays in the password reset process. Freecycle has reported the breach to the appropriate authorities. Users are cautioned to remain vigilant of phishing emails and be cautious of spam.

Threat actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain called FreeWorld. The campaign, dubbed DB#JAMMER, utilizes a range of tools, including enumeration software, RAT payloads, exploitation and credential stealing software, and ransomware payloads. Initial access is gained by brute-forcing the MS SQL server, and the attackers then use it to conduct reconnaissance and establish persistence. The attackers distribute AnyDesk software to push FreeWorld ransomware after installing malicious tools like Cobalt Strike. The attackers have unsuccessfully attempted to establish RDP persistence through Ngrok. The use of strong passwords, especially on publicly exposed services, is emphasized as crucial in preventing such attacks. 2023 has seen a surge in ransomware attacks, with a record-low percentage of victims paying, but high average ransom amounts. Ransomware threat actors are evolving their tradecraft, including sharing attack details to show why victims are not eligible for cyber insurance payouts.

DDoS attacks are becoming increasingly common and their volume and scale are rising steeply. In 2023, DDoS attacks are forecasted to exceed previous records as hacktivists, cyber criminals, and state players aim to disrupt the internet with spurious web traffic. The article promotes a webinar led by Cloudflare's Derek Chamorro, who will discuss how to identify and defend against DDoS threats. The webinar will provide advice on mitigating the consequences of a DDoS attack and building effective defenses. Readers are encouraged to sign up for the DDoS mitigation webinar for further guidance and reminders.

Callaway experienced a data breach in early August, exposing sensitive personal and account data of over a million customers The breach affected customers of Callaway and its sub-brands Odyssey, Ogio, and Callaway Gold Preowned sites Compromised customer data includes user account information such as passwords and security questions No payment card information, government ID, or Social Security Numbers (SSNs) were exposed Callaway has forced a password reset for all customer accounts and provided instructions on how to proceed Users should change passwords for other websites or online services using different credentials and be cautious of unknown senders requesting additional data.

A new version of the DreamBus botnet malware is leveraging a critical vulnerability in RocketMQ servers to infect devices. The vulnerability, tracked as CVE-2023-33246, is a permission verification issue in RocketMQ version 5.1.0 and older. DreamBus attacks targeting the vulnerability were first observed in early June, with a spike in activity in mid-June. Attackers use the 'interactsh' reconnaissance tool to identify vulnerable servers and download a malicious bash script named 'reketed' to install the DreamBus main module. DreamBus remains active on infected systems by setting up a system service and a cron job, with lateral spreading mechanisms and a scanner module for discovering vulnerabilities. The primary goal of the DreamBus campaign appears to be Monero mining, but the modular nature of the malware enables future expansion of capabilities. Administrators are advised to upgrade to RocketMQ version 5.1.1 or later to mitigate the risk of DreamBus attacks. Good patch management across all software products is recommended to combat this malware and similar threats.

The FBI carried out a law enforcement operation called Operation Duck Hunt to disrupt the Qakbot botnet. The operation seized the botnet's infrastructure and uninstalled the Qakbot malware from infected devices. Qakbot, also known as Qbot and Pinkslipbot, is a banking trojan that evolved into a malware delivery service used for ransomware attacks and data theft. The malware is distributed through phishing campaigns, reply-chain email attacks, and exploits zero-day vulnerabilities in Windows. Qakbot operators partnered with ransomware gangs to gain initial access to networks. The FBI dismantled the botnet by seizing the attacker's servers and creating a removal tool to uninstall the malware. The FBI accessed encryption keys used by Qakbot for communication and replaced the malware with an FBI-controlled module. A custom DLL file issued by the FBI acted as a removal tool and stopped the Qakbot process on infected devices. The FBI expects further devices to be cleaned as they connect back to the hijacked Qakbot infrastructure.

Chinese APT hacking group, GREF, uploaded trojanized Signal and Telegram apps containing the BadBazaar spyware onto Google Play and Samsung Galaxy Store BadBazaar spyware was previously used to target ethnic minorities in China but is now targeting users in Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States BadBazaar spyware can track device location, steal call logs and SMS, record phone calls, take pictures, exfiltrate contact lists, and steal files or databases GREF used trojanized versions of the apps named "Signal Plus Messenger" and "FlyGram," with dedicated websites to add legitimacy to the campaign FlyGram targets sensitive data such as contact lists, call logs, Google Accounts, and WiFi data, while Signal Plus Messenger focuses on extracting Signal-specific information and allows attackers to link to victims' Signal accounts without their knowledge At least 13,953 FlyGram users enabled a backup feature that sent communication data to an attacker-controlled server Android users are advised to use the original versions of Signal and Telegram and avoid downloading fork apps promising enhanced privacy or additional features from official app stores.