Daily Brief

Microsoft's introduction of three optional Conditional Access policies aims to promote the implementation of multi-factor authentication (MFA) in businesses, initially releasing in a report-only mode. Within a 90-day review period, customers can opt out, otherwise the policies will be automatically enabled. The first and most emphasized policy will require privileged admin accounts to complete MFA when accessing Microsoft admin portals. Two additional policies cater to a smaller subset of customers, requiring MFA for all high-risk sign-ins or logins to cloud apps. While Microsoft is striving for a 100% MFA adoption rate, currently only 37% utilize it. However, an initiative that automatically applies basic security controls has seen over 80% of new customers retain MFA. The company cites that MFA can reduce account takeover risk by over 99%, and claim that customers with security defaults enabled experience 80% fewer compromises. The new policies provide clear, customizable guidance that customers can alter or disable according to individual requirements. Over time, Microsoft plans to offer policies tailored to specific organizations.

The UK government seeks to legislate a requirement for tech companies to inform it of new security technologies before they activate them and to disable these features when necessary. This was announced in the King's Speech and will likely mean that the Home Office could have access to data from major tech platforms for monitoring purposes. The Investigatory Powers (Amendment) Bill is set to reform the “notices regime” with the aim of better protecting public safety. The government asserts that this advance knowledge of new security measures could help mitigate egregious crimes such as child sexual exploitation, abuse, and terrorism. The restructuring of the bill includes the modification of conditions for the use of Internet Connections Records kept by service providers. This is meant to enhance detection of serious criminal activity and national security threats. The proposed legislation may necessitate that tech firms obtain prior approval from the UK government if they are considering updating the privacy features in their offerings, effectively creating a threat to end-to-end encryption. Critics argue this harms communication and transactional safety. Abigail Burke, from the Open Rights Group, warned these reforms could undermine the ability of companies to secure data and increase the odds of criminal attacks, and urged the government to engage with civil society and tech companies. The proposed changes followed the passing of the Online Safety Bill into law, which was met with vigorous objections from tech companies due to an infamous "spy clause."

Microsoft has introduced a new feature in the Authenticator app to block suspicious notifications during account login. The feature scrutinizes login details such as unfamiliar location or signs of anomalous activity, blocking these notifications from appearing to the user. Instead, a message prompts users to enter a code through the Authenticator app. This measure comes after the introduction of the “number matching” system in May, which required users to enter a number displayed on the login screen into their Authenticator app to approve the login. Hackers had been exploiting the push notification feature of the app by constantly attempting to log into a targeted account, with the hope of tiring the recipient into approving a login. Following the implementation of the new feature in September, Microsoft reported it has blocked over six million MFA notifications suspected of being initiated by hackers.

Researchers at Jamf have detected a new macOS malware in the wild, believed to be the creation of North Korea's state-sponsored hacker group known as BlueNoroff, APT38, or TA444. Named "ObjCShellz," this malware is part of a multi-stage campaign called RustBucket, aimed at organizations in the financial services sector. The exact scale or success of the campaign is not yet known. Although the malware is regarded as "simple," it has sophisticated remote shell capabilities sent from an attacker-controlled server, allowing sophisticated control and communication via a URL that mimics a legitimate cryptocurrency exchange. The RustBucket suite has been used in a series of attacks over the past six months, using a multi-stage approach and multiple unique strains to avoid detection and make analysis more difficult. This current malware has been developed for macOS despite Windows' larger market share, with attackers targeting users likely to hold access to cryptocurrency and work on related projects. The malware delivery involves disguising itself first as a PDF viewer app, requiring users to manually bypass Apple's security measure. The second app, also masked as a PDF viewer, can execute a malicious script when a particular PDF file is opened, establishing the attackers' command and control infrastructure for further payloads. The discovery of ObjCShellz as a potential next-stage payload underlines the ongoing development and complexity of these multistage campaigns.

Marina Bay Sands resort and casino in Singapore reported a data breach affecting the personal information of around 665,000 customers. The unauthorized access, discovered on October 20, compromised data belonging to members of the MBS loyalty program. Exposed data could potentially be used by attackers to target MBS customers in various scams, phishing, and social engineering attacks. The casino members (Sands Rewards Club) are believed to be unaffected by the breach. Following discovery of the breach, MBS reported the incident to Singaporean authorities and others in relevant countries. Although the scale of the attack remains unclear, it may be linked to a potential ransomware attack where threat actors steal data to extort money. As of now, no ransomware perpetrator has claimed responsibility. MBS has declined to comment further than the official statement on the issue, which affirmed that customers whose personal data was exposed will be individually informed.

The North Korea-affiliated group, BlueNoroff, has reportedly been responsible for a new macOS malware strain called ObjCShellz. This has been discovered as part of the RustBucket malware campaign. BlueNoroff, which is known under names such as APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima and TA444, is associated with the infamous Lazarus Group and is known for its focus on financial crime, specifically targeting banks and the crypto sector. The ObjCShellz malware is written in Objective-C and functions as a simple remote shell, executing commands sent from an attacker server. The exact method of initial access for the attack remains unknown, though it's speculated it may be delivered as a post-exploitation payload. This development of malware comes in the wake of similar discoveries, such as a new macOS malware called KANDYKORN used by the Lazarus Group to target blockchain engineers, and the RustBucket macOS malware, an AppleScript-based backdoor. The findings highlight the evolving nature of North Korea-sponsored groups, who continue to create bespoke malware for macOS and Linux platforms, and suggests the increase of macOS malware campaigns in the future.

IBM X-Force researchers have uncovered a new variant of the GootLoader malware, referred to as GootBot, which is renowned for facilitating lateral movement on compromised systems and evading detection. This new variant signifies a tactical shift, with the malicious payload introduced after a GootLoader infection, as opposed to using post-exploitation frameworks such as CobaltStrike. GootBot is described as an obfuscated PowerShell script designed to connect to compromised WordPress websites for command and control, and to receive further commands. Current campaigns are leveraging SEO-poisoned searches for business-related topics to direct potential victims to compromised sites that appear legitimate, where they are tricked into downloading the initial payload. The GootBot malware communicates with its command and control server every 60 seconds to obtain PowerShell tasks and to return the execution results to the server. According to the researchers, GootBot's ability to expand the scale of the attack and evade detection highlights the evolving, sophisticated tactics used by attackers to further their cybercriminal activities, which includes potential ransomware attacks linked to GootLoader.

Companies are increasingly moving to cloud and containerized web applications, with 97% of organizations making use of containers or planning to deploy them within a year. This shift, although beneficial, leaves an opening for cybercriminals as the pace of security upgrades struggles to keep with the new technology, especially in file upload security. Data breaches, compliance with regulations like the GDPR and malware are the major worries, with the company OPSWAT highlighting that the vulnerabilities exploited by malicious actors mostly originate from file uploads. Companies need a multi-layered security approach, utilizing multiple antivirus engines and File-Based Vulnerability Assessment technology to guard against malicious file uploads and detect application and file-based vulnerabilities before installation. Other security measures recommended include Deep Content Disarm and Reconstruction (CDR) to disarm active content and regenerate safe files as well as AI-enabled malware analysis for in-depth threat evaluation. Given the evolving threat landscape, organizations must integrate key file upload security technologies with their current infrastructure to guard against malicious file uploads and data loss.

ChatGPT, a generative AI chatbot, offers numerous advantages, including content creation, coding assistance, educational assistance, customer support, and personal assistance. However, it also poses several security risks. Attackers can exploit ChatGPT for malicious purposes such as data exfiltration, spreading misinformation, developing cyber attacks, and writing phishing emails. Simultaneously, the potential exists for defenders to use it to identify vulnerabilities and to learn about and enhance various defenses. The AI chatbot facilitates an entry point into the world of cybercrime. However, specific guardrails in ChatGPT prevent it from supporting malicious actions, although "social engineering" can enable threat actors to find ways around this. Utilizing the AI chatbot, both beginners and professionals can enhance their security capabilities and expertise. Senior Director of Security Strategy at Cato Networks, Etay Maor, emphasizes the need to educate users about the responsible application of these tools.

The Pakistan-linked threat actor SideCopy has been exploiting a WinRAR security vulnerability to attack Indian government entities, delivering various remote access trojans. Cybersecurity firm SEQRITE described the campaign as multi-platform, with the attacks designed to infiltrate both Windows and Linux systems. SideCopy, suspected to be a subgroup of the Transparent Tribe (APT36), shares infrastructure and code with APT36 to target Indian entities deliberately. Previously this year, SideCopy was connected to a phishing campaign using India's Defence Research and Development Organization (DRDO)-related lures to deliver information-stealing malware. Recently, SideCopy is involved in new phishing attacks targeting the Indian defense sector with ZIP archive attachments that propagate Action RAT and a new .NET-based trojan. The most recent attack campaigns target both Linux and Windows systems, exploiting CVE-2023-38831, a security flaw in the WinRAR archiving tool, to execute malicious code and deploy various remote access trojans. These activities are likely motivated by India's decision to replace Microsoft Windows with a Linux flavor called Maya OS across government and defense sectors. The schemes from SideCopy consistently target these organizations. APT36 continues expanding its Linux arsenal, providing SideCopy with Linux stagers to deploy an open-source Python RAT known as Ares.

Ransomware groups are actively exploiting flaws in Atlassian Confluence and Apache ActiveMQ, resulting in increased cybersecurity threats. Cybersecurity firm Rapid7 identified the exploitation of two vulnerabilities, CVE-2023-22518 and CVE-2023-22515, which are being used to deploy Cerber (C3RB3R) ransomware. The severity level of these faults has escalated, with Atlassian revising its CVSS score from 9.8 to 10.0 to reflect the increased threat level. Attackers have been found to exploit these weaknesses in internet-facing Atlassian Confluence servers to fetch a malicious payload hosted on a remote server. The exploitation attempts originate from IP addresses located in France, Hong Kong, and Russia according to data from GreyNoise. Artic Wolf Labs disclosed that a flaw in Apache ActiveMQ (CVE-2023-46604) is being weaponized to deliver a Go-based remote access trojan named SparkRAT, as well as a ransomware variant similar to TellYouThePass.

Veeam has rolled out security updates to tackle four weaknesses found in its ONE IT monitoring and analytics platform, with two being seen as critical. The vulnerabilities affect versions 11, 11a, and 12 of Veeam ONE, but CVE-2023-38548 is specific to version 12. Over the past few months, threat groups such as FIN7 and BlackCat ransomware have leveraged significant flaws in Veeam's backup software to deliver malware. To prevent potential exploitation, users with affected versions of Veeam ONE are advised to halt the Monitoring and Reporting services, replace current files with those provided in the hotfix, and then restart these services.

Zandra Ellis aged 34, from New Orleans, sentenced to 18 months imprisonment, followed by three years of supervised release after attempting to hire a hitman using a parody website. She was also ordered to pay a special assessment fee of $100. Ellis attempted to hire the supposed assassin by submitting a request to Rentahitman.com using a pseudonym. The website's true purpose was not clear to Ellis; originally, the website linked to the FBI's Internet Crime Complaint Center. Following receipt of Ellis's request, the website’s webmaster contacted the FBI and an agent performed a sting operation, ultimately arresting Ellis. Ellis was found to be in possession of a Ruger 308 pistol with live rounds at the time of her arrest.

US Department of Homeland Security's Office of the Inspector General (OIG) conducted an audit between April 27 and August 17, spotlighting alleged mismanagement in mobile device security by Immigration and Customs Enforcement (ICE). The audit revealed "urgent issues", identifying "thousands" of seemingly dubious apps installed on ICE-managed devices by employees, contractors and other staff from the Department of Homeland Security. These applications reportedly pose a threat to ICE operations, personnel and homeland security as a whole, potentially enabling collection and monitoring of user and device information. ICE was said to have not kept an eye on these third-party applications as they were considered personal but existed on agency devices. However, an ICE representative disputed the claims, asserting there was no evidence of any malicious activity on the devices or any data breach. The spokesperson also confirmed immediate steps were taken in June to rectify all vulnerabilities, and ICE enjoyed full visibility on third-party applications' activities on their devices at all times. ICE has reportedly started implementing some of the auditors' recommendations, including blocking prohibited apps, vulnerable messaging applications, and VPN applications, in efforts to improve device security.

Veeam, an IT infrastructure monitoring and analytics platform, has released hotfixes to address four vulnerabilities, two of which are considered critical. The two critical vulnerabilities have received severity ratings of 9.8 and 9.9/10 CVSS base scores, allowing attackers to carry out remote code execution (RCE) and steal NTLM hashes from vulnerable servers. One bug allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database, potentially leading to remote code execution on the SQL server hosting the Veeam ONE configuration database. The second critical vulnerability allows an unprivileged user with access to the Veeam ONE Web Client to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service. The other two medium-severity bugs require user interaction or have limited impact. One could let attackers with Power User roles steal the access token of an admin in a Cross-Site Scripting (XSS) attack. All the identified vulnerabilities impact actively supported Veeam ONE versions up to the latest release. The company has issued hotfixes to patch them. The vulnerabilities come in the wake of Veeam fixing a high-severity backup service vulnerability in March that has since been linked to multiple ransomware operations.