Daily Brief

Threat actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain called FreeWorld. The campaign, dubbed DB#JAMMER, utilizes a range of tools, including enumeration software, RAT payloads, exploitation and credential stealing software, and ransomware payloads. Initial access is gained by brute-forcing the MS SQL server, and the attackers then use it to conduct reconnaissance and establish persistence. The attackers distribute AnyDesk software to push FreeWorld ransomware after installing malicious tools like Cobalt Strike. The attackers have unsuccessfully attempted to establish RDP persistence through Ngrok. The use of strong passwords, especially on publicly exposed services, is emphasized as crucial in preventing such attacks. 2023 has seen a surge in ransomware attacks, with a record-low percentage of victims paying, but high average ransom amounts. Ransomware threat actors are evolving their tradecraft, including sharing attack details to show why victims are not eligible for cyber insurance payouts.

DDoS attacks are becoming increasingly common and their volume and scale are rising steeply. In 2023, DDoS attacks are forecasted to exceed previous records as hacktivists, cyber criminals, and state players aim to disrupt the internet with spurious web traffic. The article promotes a webinar led by Cloudflare's Derek Chamorro, who will discuss how to identify and defend against DDoS threats. The webinar will provide advice on mitigating the consequences of a DDoS attack and building effective defenses. Readers are encouraged to sign up for the DDoS mitigation webinar for further guidance and reminders.

Callaway experienced a data breach in early August, exposing sensitive personal and account data of over a million customers The breach affected customers of Callaway and its sub-brands Odyssey, Ogio, and Callaway Gold Preowned sites Compromised customer data includes user account information such as passwords and security questions No payment card information, government ID, or Social Security Numbers (SSNs) were exposed Callaway has forced a password reset for all customer accounts and provided instructions on how to proceed Users should change passwords for other websites or online services using different credentials and be cautious of unknown senders requesting additional data.

A new version of the DreamBus botnet malware is leveraging a critical vulnerability in RocketMQ servers to infect devices. The vulnerability, tracked as CVE-2023-33246, is a permission verification issue in RocketMQ version 5.1.0 and older. DreamBus attacks targeting the vulnerability were first observed in early June, with a spike in activity in mid-June. Attackers use the 'interactsh' reconnaissance tool to identify vulnerable servers and download a malicious bash script named 'reketed' to install the DreamBus main module. DreamBus remains active on infected systems by setting up a system service and a cron job, with lateral spreading mechanisms and a scanner module for discovering vulnerabilities. The primary goal of the DreamBus campaign appears to be Monero mining, but the modular nature of the malware enables future expansion of capabilities. Administrators are advised to upgrade to RocketMQ version 5.1.1 or later to mitigate the risk of DreamBus attacks. Good patch management across all software products is recommended to combat this malware and similar threats.

The FBI carried out a law enforcement operation called Operation Duck Hunt to disrupt the Qakbot botnet. The operation seized the botnet's infrastructure and uninstalled the Qakbot malware from infected devices. Qakbot, also known as Qbot and Pinkslipbot, is a banking trojan that evolved into a malware delivery service used for ransomware attacks and data theft. The malware is distributed through phishing campaigns, reply-chain email attacks, and exploits zero-day vulnerabilities in Windows. Qakbot operators partnered with ransomware gangs to gain initial access to networks. The FBI dismantled the botnet by seizing the attacker's servers and creating a removal tool to uninstall the malware. The FBI accessed encryption keys used by Qakbot for communication and replaced the malware with an FBI-controlled module. A custom DLL file issued by the FBI acted as a removal tool and stopped the Qakbot process on infected devices. The FBI expects further devices to be cleaned as they connect back to the hijacked Qakbot infrastructure.

Chinese APT hacking group, GREF, uploaded trojanized Signal and Telegram apps containing the BadBazaar spyware onto Google Play and Samsung Galaxy Store BadBazaar spyware was previously used to target ethnic minorities in China but is now targeting users in Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States BadBazaar spyware can track device location, steal call logs and SMS, record phone calls, take pictures, exfiltrate contact lists, and steal files or databases GREF used trojanized versions of the apps named "Signal Plus Messenger" and "FlyGram," with dedicated websites to add legitimacy to the campaign FlyGram targets sensitive data such as contact lists, call logs, Google Accounts, and WiFi data, while Signal Plus Messenger focuses on extracting Signal-specific information and allows attackers to link to victims' Signal accounts without their knowledge At least 13,953 FlyGram users enabled a backup feature that sent communication data to an attacker-controlled server Android users are advised to use the original versions of Signal and Telegram and avoid downloading fork apps promising enhanced privacy or additional features from official app stores.

Hackers are targeting Cisco Adaptive Security Appliance (ASA) SSL VPNs in credential stuffing and brute-force attacks. Rapid7 security researchers confirm that attackers have been attempting to guess login credentials since March of this year. No instances have been found where the attackers bypassed multi-factor authentication (MFA). At least 11 customers have been breached in Cisco ASA-related attacks between March and August. Most attacks utilized similar infrastructure and common usernames. Attackers remotely accessed networks and compromised systems using stolen domain credentials. Some breaches led to LockBit and Akira ransomware attacks. Admins and security teams are advised to deactivate default accounts and passwords and enforce MFA for all VPN users.

VMware Aria Operations for Networks is vulnerable to a critical severity authentication bypass flaw. The flaw allows remote attackers to bypass SSH authentication and access private endpoints. Exploiting the flaw could lead to data exfiltration or manipulation through the product's command line interface. Upgrading to version 6.11 or applying the KB94152 patch is the only way to remediate the critical flaw, as no workarounds or mitigation recommendations have been provided. Another high-severity flaw, CVE-2023-20890, also addressed by the patch, allows for arbitrary file write and remote code execution. Due to the value of assets held by large organizations using this software, hackers are quick to exploit critical severity flaws. Active exploitation of previous vulnerabilities in Aria Operations for Networks has already been reported, emphasizing the need for prompt patching or upgrading. Delaying patching or upgrading would significantly increase the risk of hacker attacks on the network.

Popular WordPress data migration plugin, All-in-One WP Migration, has a flaw that could lead to data breaches The flaw allows unauthenticated access token manipulation, giving attackers access to sensitive site information Various premium extensions of the plugin contain the same vulnerable code Attackers could divert website migration data or restore malicious backups The primary ramification is a potential data breach, including user details and proprietary information The issue was discovered by PatchStack's researcher and reported to ServMask, the plugin's vendor ServMask released security updates to fix the flaw Users of the impacted extensions are advised to upgrade to the fixed versions and use the latest version of the base plugin.

Apple is accepting applications from iOS security researchers to receive a Security Research Device (SRD) iPhone 14 Pro. SRDs are specially-built devices with disabled security features and shell access for vulnerability research on the iOS platform. Researchers can use the SRD to discover vulnerabilities and have them considered for Apple's Security Bounty program. The SRDs are 12-month renewable loans and should only be used by authorized individuals and remain within the premises of the security research facility. Universities can also request access to the SRDs for instructional purposes. Applications for the 2024 iPhone Security Research Device Program are open until October 31. Accepted participants will be notified at the beginning of 2024.

American entertainment giant Paramount Global disclosed a data breach after its systems were hacked Attackers gained access to personally identifiable information (PII) Breach occurred between May and June 2023 Personal information that may have been accessed includes names, dates of birth, Social Security numbers, and government-issued identification numbers Paramount has taken steps to secure impacted systems and is conducting an investigation A cybersecurity expert has been hired to assist with the investigation Paramount is collaborating with law enforcement agents Upgrading security measures to prevent future incidents

The "Classiscam" scam-as-a-service operation is targeting banks and 251 brands worldwide. Affiliates of Classiscam use phishing kits to create fake ads and pages to steal money, credit card information, and banking credentials. Developers and affiliates split the proceeds, with the developers receiving 20-30% of the revenue. Classiscam has grown significantly, with 90 Telegram channels selling scam kits, 38,000 registered members, and estimated total damage of $29 million. The operation has made $64.5 million in combined earnings and is targeting users in 79 countries. The highest targeting focus is in Europe, with Germany being the most prolific victim. Classiscam has become more automated, using Telegram bots to create phishing and scam ad pages. The operation now includes fake bank login pages to steal e-banking account credentials.

Hackers affiliated with the GRU, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, have been targeting Android devices in Ukraine with a new malware framework called 'Infamous Chisel' The malware provides backdoor access through the Tor anonymity network, allowing hackers to scan local files, intercept network traffic, and exfiltrate data Infamous Chisel primarily targets Android devices and scans for information related to the Ukrainian military, sending the data to the attackers' servers The malware is capable of gathering hardware information, probing local area networks, and giving attackers remote access Data exfiltration occurs every 86,000 seconds (one day), and the most critical military data is exfiltrated every 600 seconds (ten minutes) The malware is not particularly stealthy and seems to prioritize quick data exfiltration and pivoting to more valuable military networks The UK National Cyber Security Center (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) have released reports on Infamous Chisel, providing technical details and indicators of compromise for detection and defense

Microsoft has joined other organizations in criticizing the draft version of the UN cybercrime treaty The company warns that the proposal is vague and could lead to the criminalization of ethical hacking and security practices Microsoft argues that the treaty could be used by authoritarian states to suppress dissent under the guise of fighting cybercrime The international community needs to protect ethical hackers and include language that ensures lawful cybersecurity work Microsoft also calls for increased transparency and aligning the treaty with existing data protection standards

Stolen or weak usernames and passwords are one of the most potent weapons for cyber adversaries Compromised credentials allow unauthorized access to networks and systems Current security solutions struggle to distinguish between legitimate and malicious use of compromised credentials Attackers use various techniques to obtain compromised credentials, including purchasing them from Dark Web marketplaces or using keyloggers Active Directory (AD) environments are highly vulnerable to attacks using compromised credentials AD lacks native multi-factor authentication (MFA) support, making it susceptible to lateral movement attacks Silverfort Unified Identity Protection offers comprehensive security for AD environments, including continuous monitoring, risk analysis, and active response By implementing Silverfort, organizations can mitigate the risks associated with compromised credentials and enhance AD security posture.