Daily Brief

Operators of Kinsing malware, notorious for breaching cloud-based systems, exploited a Linux security issue known as "Looney Tunables" to infiltrate systems and steal cloud credentials. Firstly, they latch onto a vulnerability in the PHPUnit PHP testing framework to gain initial access before escalating privileges using 'Looney Tunables'. Unlike standard procedure, Kinsing tested this attack manually, revealing a possible shift in operation strategy from automated to manual testing to ensure success before scripting exploitation. Post exploit, the cyber threat group downloads a script and a PHP script, which leads to the deployment of a JavaScript web shell backdoor supporting subsequent attack phases, such as command execution, file management, data collection, and encryption/decryption functions. The cybercriminals showed an interest in accessing Cloud Service Provider (CSP) credentials, aiming specifically at AWS instance identity data. This tactic signifies a major shift towards more sophisticated activities for Kinsing and is thought to be an experimental campaign with an expanded scope collecting CSP credentials.

Microsoft will soon implement Conditional Access policies necessitating multifactor authentication (MFA) for administrators signing into admin portals such as Microsoft Entra, Microsoft 365, Exchange and Azure. The company will introduce MFA requirements for per-user access to all cloud apps and for high-risk sign-ins, though the latter will only be available to Microsoft Entra ID Premium Plan 2 customers. These policies will initially be introduced in report-only mode before being automatically enabled on tenants after a 90-day review and opt-out period. Microsoft Vice President for Identity Security Alex Weinert encourages MFA protection for all user access due to its effectiveness in reducing account takeover risks. Admins will be able to modify the state of all Microsoft-managed policies and exclude particular identities, and plans to combine machine learning-based policy insights with automated policy rollout are being discussed.

A critical severity flaw in Atlassian Confluence’s systems, referred to as CVE-2023-22518, has been exploited to encrypt victims' files using Cerber ransomware. This improper authorization vulnerability affects all versions of Confluence Data Center and Confluence Server software. Atlassian released security updates and told users to patch because the flaw could be used to wipe data. Atlassian subsequently divulged a proof-of-concept exploit was available online and recommended backing up systems and blocking Internet access to unpatched servers until they were secure. Threat monitoring service, ShadowServer, reported over 24,000 Confluence instances exposed online but there was no means of establishing how many were vulnerable to CVE-2023-22518 attacks. Atlassian updated its advisory, revealing threat actors were targeting the flaw following the release of the PoC exploit. Rapid7, a cybersecurity firm, has confirmed the widespread exploitation of Atlassian Confluence servers using the CVE-2023-22518 auth bypass as well as another critical privilege escalation, CVE-2023-22515, previously exploited as a zero-day. This action is leading to ransomware deployment. Cerber ransomware was also used in attacks targeting Atlassian Confluence servers two years ago using a remote code execution vulnerability, CVE-2021-26084, previously exploited to install crypto-miners.

An upgraded version of Jupyter Infostealer malware has emerged, implementing "simple yet impactful changes" to create a persistent presence on compromised systems stealthily. The information-stealing malware, also known as Polazert, SolarMarker, and Yellow Cockatoo, has traditionally used manipulated search engine optimization (SEO) tactics and malvertising as the initial access vector. The latest version leverages various certificates to sign the malware to lend them a veneer of legitimacy and employs PowerShell to connect to a remote server to ultimately decode and launch the stealer malware. Other examples of updated malware include Lumma Stealer and Mystic Stealer, both of which now incorporate a loader and have the ability to generate a build for improved obfuscation. These malware updates make them more versatile, capable of loading second-stage attacks on their victims, including ransomware. The report also highlights developments of malware loaders such as PrivateLoader and Amadey, which have been noticed infecting devices with a proxy botnet known as Socks5Systemz. Such malware loaders further exemplify the continually evolving nature of malware, as they enable data theft via stealers and remote access trojans. It is estimated that this botnet has approximately 10,000 infected systems with victims spread across the globe.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned a Russian national, Ekaterina Zhdanova, who is accused of laundering millions in cryptocurrency for different individuals, including ransomware actors. According to OFAC, Zhdanova used her knowledge of cryptocurrency and blockchain networks to evade Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) controls. Zhdanova is believed to have laundered over $2.3 million in suspected ransom payments for an affiliate of the Ryuk ransomware operation. The method used involved fraudulently opened investment accounts and real estate purchases to obscure the illegal origin of the funds. Zhdanova also used a global network of money launderers to hide her financial activities. Aside from ransomware, she allegedly assisted Russian oligarchs in evading sanctions in the wake of Russia's invasion of Ukraine. As a result of the sanctions, all of Zhdanova's U.S.-based assets will be frozen, and U.S. entities will be banned from conducting any transactions with her.

Taiwanese firm QNAP has issued security updates to rectify two significant flaws in its operating system that could result in arbitrary code execution. The most critical vulnerability, tracked as CVE-2023-23368 with a CVSS severity score of 9.8, is a command injection vulnerability affecting QTS, QuTS hero, and QuTScloud. If exploited, the vulnerability could allow remote hackers to execute commands via a network connection. QNAP also addressed a similar command injection flaw (CVE-2023-23369, CVSS score: 9.0) in QTS, Multimedia Console, and Media Streaming add-on that could offer the same exploit route. The issue was publicized in an advisory, urging users operating affected versions of the software to update to mitigate potential threats. This security measure follows an announcement several weeks ago where QNAP reported taking down a malicious server used majorly for brute-force attacks against NAS devices with weak passwords.

The US Department of the Treasury's Office of Foreign Assets Control (OFAC) has sanctioned Ekaterina Zhdanova, a Russian woman accused of laundering money for oligarchs and ransomware criminals, including Ryuk ransomware affiliates. Zhdanova allegedly laundered over $2.3 million in ransom payments in 2021. Seven members of the Wizard Spider group, linked with Ryuk, Conti, and Trickbot ransomware operations, were sanctioned earlier this year. Methods used by Zhdanova to move funds included cryptocurrency exchanges without anti-money laundering controls, like the Russian Garantex platform, international money launderers, cash, and traditional businesses. Zhdanova has reportedly moved funds for Russia's elite, including one instance of transferring over $100 million to the United Arab Emirates for an oligarch. Meanwhile, she ran a UAE tax residency service for high-paying clients and might have helped to conceal their identities. The imposition of sanctions is a part of the US's efforts to undermine Russia's economy and its ability to finance war, following the invasion of Ukraine. Over 2,500 Russia-linked individuals and entities have been added to the OFAC's SDN list since then. Despite it being illegal to pay ransom to sanctioned groups, 41% of victims still pay up, according to Astra Security. Meanwhile, Chainalysis also revealed that ransomware criminals had already extorted at least $449.1 million from victims by June 2023, likely destined to be the second-most lucrative year for such criminals.

Cybersecurity companies ArcticWolf and Huntress Labs report that a critical remote code execution (RCE) flaw in Apache ActiveMQ servers is being exploited over the last two weeks by attackers to deploy SparkRAT malware. This flaw, known as CVE-2023-46604, is a maximum severity bug affecting the ActiveMQ open-source message broker, enabling unauthenticated actors to execute arbitrary commands on vulnerable servers. More than 4,770 Apache ActiveMQ servers out of over 9,200 exposed online, are currently vulnerable to CVE-2023-46604 exploits. Apache has released security updates to fix this vulnerability which system admins are strongly advised to apply immediately. Attackers have been exploiting this bug to deploy both HelloKitty and TellYouThePass ransomware payloads on networks, with similarities noted between the two different campaigns. The resurgence of TellYouThePass ransomware, which has expanded its targeting capabilities to include Linux and macOS systems, underscores the need for rapid resolution of this vulnerability.

A new dropper-as-a-service (DaaS) for Android called SecuriDropper bypasses Google's latest security restrictions and delivers malware. The dropper malware on Android serves as a conduit to install a payload onto compromised devices, making it a profitable business model for threat actors who can advertise its capabilities to other criminal groups. The DaaS targets Google's Android 13 Restricted Settings that are designed to prevent sideloaded applications from obtaining Accessibility and Notification Listener permissions, which are often abused by banking trojans. The dropper often appears as an innocuous app, providing a workaround to Android's security measures by requesting read and write data permissions to external storage and install/delete packages. ThreatFabric, the Dutch cybersecurity firm which revealed SecuriDropper, reported that Android banking Trojans, such as SpyNote and ERMAC, were being distributed by the DaaS via deceptive websites and third-party platforms, including Discord. Another similar tool using the Restricted Settings bypass being offered as a dropper service is Zombinder, which was believed to have been shutdown earlier this year. The connection between these two tools is yet unclear and as Google ramps up security measures with each Android iteration, cybercriminals continue to adapt and innovate, with DaaS platforms becoming increasingly potent tools.

Cloud services provider Okta confirmed its October cyber attack affected 134 companies, less than 1% of its customers. The firm clarified that the breach occurred due to an insider mishap wherein an employee’s personal Google profile was compromised. Among the victims were password management solution 1Password, cybersecurity firm Cloudflare, and software company BeyondTrust. The hackers gained access to HTTP Archive (HAR) files, which contain cached web session data and cookies that can be used to impersonate valid users. Okta also noted an unrelated third-party breach that exposed nearly 5,000 current and former employees' records. Meanwhile, Texas-based mortgage and loan company Mr Cooper remains largely offline after an unexplained cybersecurity incident, while Cisco released multiple security updates, including one critical patch for its Firepower Management Center. The fourth version of the Common Vulnerability Scoring System (CVSS) has also been introduced.

QNAP Systems issued advisories around two critical command injection vulnerabilities that are present in multiple versions of the QTS operating system and associated apps on its network-attached storage (NAS) devices. The first vulnerability, tracked as CVE-2023-23368, has a critical severity rating of 9.8 out of 10 and is exploitable by remote attackers. Affected versions are QTS 5.0.x and 4.5.x, QuTS hero h5.0.x and h4.5.x, and QuTScloud c5.0.1. The second flaw, identified as CVE-2023-23369, is rated with lower criticality (9.0) and can be leveraged to similar effect by remote attackers. Impacted versions are QTS 5.1.x, 4.3.6, 4.3.4, 4.3.3, and 4.2.x, plus the Multimedia Console 2.1.x and 1.4.x, and the Media Streaming add-on 500.1.x and 500.0.x. Remediation for both of these vulnerabilities is available and involves updating the QTS, QuTS hero and QuTScloud systems. Instructions have also been provided for updating the Multimedia Console and the Media Streaming add-on. QNAP advised users to apply the patches swiftly due to the potential severity of the flaws NAS devices are typically used to store data, hence these vulnerabilities could potentially allow cybercriminals to steal or encrypt sensitive data. QNAP has been targeted in the past by ransomware attacks, notably by the Deadbolt ransomware gang.

A new dropper-as-a-Service (DaaS) operation named 'SecuriDropper' bypasses the 'Restricted Settings' feature in Android, allowing it to install malware on devices and obtain access to Accessibility Services. The operation uses Android 13's Restricted Settings feature, which typically prevents non-Google Play applications from accessing features such as Accessibility settings and Notification Listener. However, SecuriDropper bypasses this with a session-based installation API for malicious Android package files. This tactic sidesteps the Restricted Settings, avoiding the 'Restricted setting' dialog that prevents malware access to dangerous permissions. This security issue is reported to be present in Android 14. SecuriDropper poses as legitimate apps, such as a Google app, Android update, video player, or game, then installs malware by securing access to necessary permissions and tricking users into installing a second-stage payload with deceitful interface manipulation. Cybersecurity firm ThreatFabric noted instances of SecuriDropper distributing SpyNote malware and banking trojans. The company also reported a resurgence of Zombinder, another DaaS operation that uses a similar method to bypass Restricted Settings, gluing malicious payloads to legitimate apps to infect devices. Google has not provided a comment or solution about this recurring problem at the time of this report. Android users are advised to avoid downloading APK files from obscure sources and regularly review and revoke app permissions as necessary.

The rise of cybersecurity threats like ransomware and breach via third-party insecure connections can severely impact operational resilience, particularly in the field of operational technology (OT) systems such as those in manufacturing. These types of threats have reportedly increased since the onset of the COVID-19 pandemic. Industrial control systems (ICS) must be secured from potential risks and vulnerabilities introduced by always-on connectivity. In order to remain secure and compliant, visibility of assets and vulnerabilities across broader networks is necessary, along with automated threat detection techniques. Britvic, a soft drinks company, managed to overcome security challenges that threatened its systems. The company's Senior Manager for OT Compliance & Cyber Security, David Cox, will share insights on best practices in a webinar set for 8 November. This upcoming webinar, which aims to discuss evolution of threats to OT security and maintaining effective security practices, is intended to strengthen operational resilience among corporations and organizations.

Iranian hacker group Agonizing Serpens, also known as Agrius, BlackShadow, and Pink Sandstorm, has been carrying out a series of cyber attacks on Israel's higher education and tech sectors since January 2023. The attacks aim to steal sensitive data such as personally identifiable information (PII) and intellectual property; once the information is stolen, the attackers deploy various wiper malware to cover their tracks and render the infected endpoints unusable. Three new types of wipers MultiLayer, PartialWasher, and BFG Agonizer were used, as well as a tool called Sqlextractor, used to extract information from database servers. Agonizing Serpens, active since at least December 2020, has been linked to previous attacks on Israeli entities using a ransomware strain called Moneybird. The recent attacks have weaponized vulnerable internet-facing web servers, deploying web shells and stealing user access credentials for further internal network exploration. The attackers use a mix of public and custom tools like Sqlextractor, WinSCP, and PuTTY to exfiltrate data and deliver wiper malware. Agonizing Serpens has recently upgraded their capabilities and invested resources to attempt to bypass Endpoint Detection and Response (EDR) and other security measures, often rotating between different known proof-of-concept (PoC) and penetration testing tools, as well as custom tools.

Google has issued a warning regarding threat actors using its Calendar service as a covert Command-and-Control (C2) cybersecurity infrastructure. The public proof-of-concept (PoC) exploit, named Google Calendar RAT (GCR), operates through Google Calendar events using a Gmail account and was first published on GitHub In June 2023. While Google has not yet detected the tool being utilized in real-world cybercrimes, its Mandiant threat intelligence unit has observed PoC sharing in underground online forums. Operating purely on legitimate infrastructure, this novel exploit is difficult for defenders to detect due to its ability to blend with standard user activity. Highlighting the exploitation of cloud services to infiltrate and compromise system environments, Google also flagged an Iranian nation-state actor utilizing macro-laced documents and a small .NET backdoor codename BANANAMAIL for malicious purposes. Google's Threat Analysis Group has since moved to disable attacker-controlled Gmail accounts that were being leveraged by the malware.