Daily Brief

Cybersecurity company SafeBreach identified three methods to run fully undetectable cloud-based cryptocurrency miners on the Microsoft Azure Automation service without incurring charges. These methods could potentially be used for any task on Azure requiring code execution. The researchers were looking for an "ultimate crypto miner" offering unlimited access to resources, that required minimal maintenance, was cost-free and undetectable. They identified a bug in the Azure pricing calculator, allowing an unlimited number of jobs to be executed at no charge. An additional method involves creating a test-job for mining, marking it as 'Failed' and creating another dummy test-job, taking advantage of the fact that only one test can run at a time, hiding code execution in the Azure environment. A threat actor could use these methods to establish a reverse shell towards an external server and authenticate to the Automation endpoint. Code execution could also be achieved by using Azure Automation’s feature allowing users to upload custom Python packages. Microsoft has issued a fix for the pricing calculator bug, but stated the ability to exploit the method is 'by design'.

Atlassian has intensified its threat level for the recent improper authorization vulnerability in Confluence Data Center and Server, increasing its CVSS score from 9.1 to the maximum of 10. Initial assessments allowed for "significant data loss" but now it's understood an attacker could create an admin account with extended capabilities beyond just data loss. All versions of Confluence are affected by the vulnerability which has now been confirmed to be actively exploited. Security firm Rapid7 reported possible mass exploitation attempts beginning on November 5th and has highlighted the deployment of Cerber ransomware strain. Rapid exploitation attempts following the release of a patch highlight the speed at which adversaries work for distribution mechanisms for their exploits. Over 200,000 results were discovered on the "Confluence" search on Shodan, indicating how widely exposed the systems are on the internet. Atlassian advises immediate upgrade for all its vulnerable customers and provides temporary mitigations if upgrades are not possible immediately.

WhatsApp, owned by Meta, has introduced a new privacy feature named "Protect IP Address in Calls" to secure users' IP addresses during calls. This feature works by routing calls through WhatsApp servers, making it more difficult for bad actors to discern a caller's location. Despite adding an extra layer of privacy, this feature may lead to a slight decline in the quality of calls. Similar to Apple's iCloud Private Relay, the new feature has been under development since August 2023. The feature is aimed at enhancing privacy and security for its most privacy-conscious users. This introduction builds on a previously launched feature titled "Silence Unknown Callers," reducing the risk of zero-click attacks and spyware. WhatsApp's approach involves using a privacy token within a custom protocol to avoid processing data controlled by potential attackers.

WhatsApp is introducing a new feature designed to enhance the privacy of its users by allowing them to hide their location during calls. This is achieved by routing the call connection through WhatsApp's servers which hides the user's IP address. The feature, called "Protect IP Address in Calls", means that no caller's IP address metadata is accessible to other call participants. This obscures details of the user's internet service provider and their approximate geographical positioning. Importantly, though calls are being routed through WhatsApp's servers, privacy remains paramount as all calls are end-to-end encrypted, and the company is unable to listen in. Group calls are always relayed through WhatsApp's servers by default, adding an additional layer of privacy and security. This new feature follows the company's ongoing efforts to boost user privacy. Last year, WhatsApp rolled out a feature called "Silence Unknown Callers", which screens out calls from unknown contacts, effectively reducing the likelihood of spam, scam calls, or 'zero-click' attacks. WhatsApp's recently added "Chat Lock" feature also further secures private conversations by allowing users to block access to their most private exchanges.

A report from Checkmarx revealed the existence of a new form of malware called BlazeStealer in seemingly harmless Python packages on the Python Package Index (PyPI) repository. The malware aims to steal sensitive information from compromised developer systems. Since January 2023, eight malicious packages have been detected on PyPI, with the latest being released in October. When installed, the packages retrieve a Python script which gets executed immediately, resulting in the malware running a Discord bot. The bot allows the threat actor to gather information such as web browser passwords, screenshots, etc., execute random commands, encrypt files and disable Microsoft Defender Antivirus on the infected system. It can also consume excessive CPU usage, insert a Windows Batch script in the startup directory to shut down the machine, and even cause a blue screen of death error. The majority of the rogue package downloads were traced back to the U.S., followed by China, Russia, Ireland, Hong Kong, Croatia, France, and Spain. They were collectively downloaded 2,438 times before being removed. Checkmarx recommends developers vet packages before consumption, given that the open-source domain is fertile ground for hackers to exploit.

The Monero Project has disclosed that its community crowdfunding system (CCS) wallet was drained of 2,675.73 XMR (~$437,000) on September 1, 2021. The funds were drained via nine separate transactions, taking place within minutes. The team suspects that the breach might be related to ongoing wallet-draining attacks observed since April. Additional security measures have been applied to secure other Monero wallets, including enabling multisig protocol which requires more than one individual to authorize any given transaction. Monero’s breach is part of a wider phenomenon: earlier this year Atomic Wallet lost funds from more than 5,000 wallets in a single attack, attributing the breach to North Korean state-sponsored Lazarus Group. Discussion in the community suggests that the LastPass password manager breach could have been a factor in these wallet-draining attacks; most users affected had their seeds stored in LastPass. However, LastPass CEO Karim Toubba refutes these claims, stating there is no current evidence linking the company's security incidents to the ongoing cryptocurrency theft. The method used to execute these wallet-draining attacks remains unknown despite investigations, underscoring the need for enhanced security measures in the management of cryptocurrency wallets.

Growing use of generative AI in sales, marketing, IT executive, support and other operations comes with three main security concerns: the sensitivity of data used in gen AI scripts, the risky outcomes these tools might generate and the potential hazards tied to using third-party gen AI tools. Most organisations have started using generative AI tools to enhance their operations before they implement the necessary safeguards and cybersecurity constraints. Unregulated use of AI in organisations can potentially have significant negative impacts. An effective solution is not to cease the use of generative AI, but instead, stakeholders like MSPs, MSSP and vCISOs should take the initiative in flagging these security issues to their clients. Cynomi, a vCISO platform provider, offers a free guide detailing immediate preventative measures that service providers can implement to protect their consumers from generative AI-associated risks. As part of their job, these security service providers need to make their clients aware of the potential risks of generative AI, as well as teach them safe usage practices and effective tools. The purpose of the guide, "It's a Generative AI World: How vCISOs, MSPs and MSSPs Can Keep Their Customers Safe from Gen AI Risks," is to provide service providers with practical information to warn their customers about such threats and protect them against the potential negative impacts of generative AI deployment.

Russian-speaking threat actor 'farnetwork' has been associated with five ransomware groups, notably JSWORM, Nefilim, Karma, Nemty, and Nokoyawa, assuming roles in malware development and operations management. Group-IB has tracked farnetwork's activities back to January 2019, establishing links to different strains of ransomware. Their activities include promoting the ransomware-as-a-service (RaaS) programs and managing a botnet that allows affiliates access to compromised networks. Farnetwork recently shut down the Nokoyawa RaaS program after leaking data of 35 victims in October, although Group-IB suspects this move is a tactic to cover their tracks and emerge under a new brand. Farnetwork was an operations manager in the Nokoyawa ransomware where they recruited affiliates, promoted the RaaS program on darknet forums, and managed a botnet. The affiliations of farnetwork show that some ransomware operations are managed by individuals experienced in the business, who frequently rebrand to continue operations. These individuals often handle multiple elements of the ransomware chain, from development to deployment. Farnetwork was also responsible for testing potential associates by providing them with corporate account credentials stolen by info-stealers sold on the Underground Cloud of Logs (UCL) service. The potential affiliates' task was to escalate their network privileges, steal files, run the encryptor, and demand a ransom.

Companies now depend on SaaS applications for about 70% of their total software usage, increasing the importance of ensuring those applications are secure. SaaS applications store large volumes of data, therefore, it's critical to safeguard the organization's SaaS app stack and the data within it. The complexity of ensuring SaaS security arises due to a multitude of attack vectors and dynamic environments that require constant updates and adjustments. Applications are often managed by various business departments, making it challenging for the security team to exercise complete control. The webinar aims to equip attendees with the essential steps to successfully implement a robust SaaS security strategy. The webinar notably features Adaptive Shield's Senior Director of Customer Success, Effie Mansdorf, for insights on SaaS security.

Cyberattacks consistently target businesses for data theft; the stolen data being critical for the enforcement of ransom demands. Many organizations are investing heavily in improving their security from external attacks, focusing mostly on the perimeter defense and incoming traffic. Cybersecurity firm Blackfog is taking a different approach by implementing on-device anti data exfiltration (ADX) technology that uses AI-based behavioural analytics. The ADX technology restricts even the administrators from sending unauthorized data outside the network. Blackfog believes that this approach provides the optimum defense against ransomware and extortion by blocking the unauthorized outflow of data. The Register's Tim Phillips will host a webinar in conversation with Dr Darren Williams, CEO and Founder of Blackfog, on November 15 to discuss the role and efficiency of ADX technology in securing devices and data. The seminar aims to explain why traditional antivirus solutions are inadequate in stopping AI-enhanced intruders, making a case for innovative solutions like ADX technology.

Incoming digital identity legislation across Europe, the electronic IDentification, Authentication and trust Services (eIDAS) 2.0, is causing concerns over security and potential surveillance. Civil society groups warn that the new rules, designed to cover elements such as electronic signatures, time stamps, delivery services and website authentication, could make the internet less safe. Under the new regulations, browser makers must trust government-approved Certificate Authorities (CA) and not implement security controls beyond those specified by the European Telecommunications Standards Institute (ETSI). This could allow governments to intercept and decrypt secure HTTPS connections between users and websites, enabling them to monitor user activity. The Electronic Frontier Foundation warns that the new legislation “returns us to the dark ages of 2011, when certificate authorities could collaborate with governments to spy on encrypted traffic." 400 cyber security experts and NGOs have called for EU lawmakers to clarify that Article 45 in the new regulation cannot be used to override browser trust decisions. Tech companies Google and Mozilla have also voiced concerns over the legislative changes.

Cybersecurity researchers from Group-IB have traced links between a threat actor known as 'farnetwork' and several ransomware-as-a-service (RaaS) programs over the last four years. Farnetwork has been associated with ransomware projects including JSWORM, Nefilim, Karma, and Nemty, and was involved in developing and managing these RaaS models. In 2022, farnetwork is believed to have launched a botnet service providing degraded corporate networks to affiliates. Recruitment efforts for the farnetwork-managed Nokoyawa RaaS program were identified, with potential candidates encouraged to use stolen credentials to deploy ransomware and demand payment for decryption of encrypted files. The RaaS business model applied by farnetwork allows affiliates to receive 65% of a ransom amount, the botnet owner 20%, and potentially as little as 10% for the ransomware developer. Though the Nokoyawa RaaS operation ceased in October 2023, Group-IB researchers consider it likely that farnetwork will re-emerge under a new alias and with a new RaaS program.

Shared service provider TransForm has confirmed that a ransomware attack that disrupted operations at numerous hospitals in Ontario, Canada was caused by the DAIXIN Team. The attackers stole a database containing information on 5.6 million patient visits, affecting approximately 267,000 unique individuals. The attack occurred in late October, impacting five hospitals operating under TransForm, including Bluewater Health. Operational disruptions caused by the attack led healthcare providers to reschedule appointments and redirect non-emergency cases to other clinics. The perpetrators have started leaking samples of the stolen data and have stated their interest in selling the data to brokers. TransForm has announced they will not be paying the ransom and are currently investigating the scope and impact of the data breach. Regular updates will be provided on the matter. The stolen information does not include clinical records, however, the exact contents of the files are still under investigation.

A fraudulent cryptocurrency management app named Ledger Live Web3, published in the Microsoft Store, deceived multiple users resulting in a total loss of over $768,000 in cryptocurrency. The app has since been removed from the store. The fraudulent app, which had been present in the Microsoft store since October 19, was spotted by a blockchain enthusiast on November 5 and removed on the same day by Microsoft. Allegedly, the scam was relatively simple. The fraudster copied the description of the legitimate app almost word for word from the Apple Store and used the name "Official Dev" for the developer. The fraudulent app directed to a second cryptocurrency wallet during the scam that collected around $180,000 from victims. Despite the red flags and suspicious details, it is unclear how the app was allowed to be published on the Microsoft Store. Questions are being raised about the thoroughness of Microsoft’s app vetting process. Although modest in comparison to other cryptocurrency heists, the simple nature of the scam and the magnitude of the stolen amount is noteworthy.

North Korean group BlueNorOff, known for attacks on cryptocurrency exchanges and financial institutions, has launched new macOS malware targeting Apple users. The ObjCShellz malware can open remote shells on compromised systems and is quite different from previous payloads from BlueNorOff. The command-and-control (C2) domain linked to this malware mimics a legitimate cryptocurrency exchange's blog site in an effort to avoid detection. The malware assists in the post-exploitation phase, executing commands on infected Intel and Arm Macs. Last year, cybersecurity firm Kaspersky linked BlueNorOff to a series of attacks on cryptocurrency startups globally. In 2019, U.S. sanctioned BlueNorOff and two other North Korean hacker groups for funneling stolen funds to the North Korean government. BlueNorOff and Lazarus group were also involved in the largest ever crypto hack where they stole tokens worth over $617 million.