Daily Brief

Four zero-day vulnerabilities have been discovered in Microsoft Exchange, which may enable remote attackers to execute arbitrary code and disclose sensitive information on affected installations. These flaws were reported to Microsoft on Sept 7th and 8th, 2023 by Trend Micro's Zero Day Initiative (ZDI). Despite being informed about the flaws, Microsoft did not regard them as severe enough to necessitate immediate fixing, so the patches were deferred. Conversely, ZDI disagreed with Microsoft's evaluation and published the flaws with its own tracking IDs in order to caution Exchange administrators about the security risks. The exploitation of these vulnerabilities requires authentication, which could lessen their severity to a certain extent, and could be the reason why Microsoft did not rush to rectify these bugs. It's important to note that cybercriminals have many methods to obtain Exchange credentials, which means these zero-days should not be considered unimportant. Specifically, ZDI-23-1578 that allows for RCE and could lead to complete system compromise. ZDI suggests restricting interaction with Exchange apps as a primary mitigation strategy, while multi-factor authentication is another recommended method of preventing cybercriminal access to compromised Exchange accounts.

Trend Micro's Zero Day Initiative (ZDI) disclosed four zero-day vulnerabilities in Microsoft Exchange, which could allow remote attackers to execute arbitrary code or expose sensitive information. Despite being reported to Microsoft on September 7th and 8th, 2023, it was determined the flaws were not serious enough to precipitate immediate servicing by Microsoft security engineers. All the vulnerabilities require authentication, which reduces the severity of their Common Vulnerability Scoring System (CVSS) rating between 7.1 and 7.5. However, multiple methods exist for cybercriminals to obtain Exchange credentials, making these vulnerabilities significant; consequently, ZDI emphasizes the importance of addressing them efficiently. ZDI suggests limiting interactions with Exchange apps as the main mitigation strategy, albeit potential inconvenience for business operations and recommends implementing multi-factor authentication to prevent intrusion even if credentials are compromised. Microsoft has yet to respond to ZDI's disclosure and at the time of BleepingComputer's reporting, a response is still awaited.

Cyber attackers breached cybersecurity firm Okta's customer support system in October 2023 and accessed files related to 134 customers, less than 1% of its total customers. Okta admitted that some accessed files contained session tokens that the threat actors later used to hijack the Okta sessions of five customers. Three of these customers 1Password, BeyondTrust, and Cloudflare detected and reported unauthorized login attempts to their in-house Okta administrator accounts. The breach occurred after the actors obtained credentials for a support service account from an employee's personal Google account, with the employee having used the Google profile using an Okta-managed laptop. Following the breach, Okta took multiple preventative measures such as disabling the compromised account, blocking personal Google profiles on Okta-managed devices, and deploying additional detection/monitoring rules for its customer support system. This incident is one of several breaches Okta has experienced over the last two years. In December 2022, a breach led to hackers accessing confidential source code information in Okta's private GitHub repositories. Its healthcare coverage provider, Rightway Healthcare, was also breached in September 2023, exposing sensitive information of nearly 5,000 current and former Okta employees. While the company has detailed remediation activities, this sequence of incidents raises concerns about possible weaknesses in Okta's own security protocols.

Okta confirmed that an attacker breached its customer support system from 28 September to 17 October 2023, gaining access to the files of 134 customers, or less than 1% of its total customer base. Some of these files were HAR files that had session tokens inside. The threat actor used these tokens to hijack sessions belonging to five customers, three of which have publicly responded to the incident: 1Password, BeyondTrust, and Cloudflare. This security breach was facilitated by the theft of credentials for a support service account. An employee had accessed their personal Google account via an Okta-managed laptop, and it is speculated that this was how the cyber attacker accessed the account credentials. In responses, Okta has implemented measures to prevent similar attacks. Steps include disabling the compromised service account, banning personal Google accounts from Okta devices, deploying more detection rules for its support system, and tying administrator session tokens to network location. This breach is the latest in a series of cyber attacks Okta has faced. In December 2022, Okta confirmed a breach, where confidential source code from its private GitHub repositories was accessed. In March 2022, an attack by the Lapsus$ group compromised about 2.5% of its customers. Recently, Okta warned almost 5,000 employees about exposure of personal data following a breach at its healthcare provider, Rightway Healthcare, in September.

Threat actors linked to Kinsing are exploiting a newly disclosed Linux vulnerability known as 'Looney Tunables' to breach cloud environments, according to cloud security firm Aqua. This marks the first documented active exploitation of this Linux flaw, which could allow an attacker to obtain root privileges. Kinsing has previously capitalized on newly unveiled security vulnerabilities, including a high-severity bug in Openfire, in its attack campaigns. The latest wave of attacks involves exploiting a remote code execution weakness in PHPUnit to gain initial access before probing for Looney Tunables with a Python-based exploit. A web shell is then used to gain backdoor server access and extract credentials associated with the Cloud Service Provider (CSP), marking a notable shift from Kinsing's traditional modus operandi of deploying its malware to launch cryptojacking operations. Aqua suggests that this change in tactics may indicate an expanding operational scope for Kinsing, posing increased threats to cloud-native environments in the future.

Facebook business accounts are being used to run false advertisements with the intention of causing victims to download an updated NodeStealer malware. This functions by stealing passwords and browser cookies from the user. Meta first disclosed this JavaScript malware in May 2023, claiming that it was used to takeover Facebook accounts. However, the current threat comes from a Python-based NodeStealer variant. Bitdefender's report says the malicious campaign is focused on male Facebook users aged between 18 to 65 from Europe, Africa, and the Caribbean, with males above 45 being the most affected. The attackers' ultimate goal is to use the stolen cookies to bypass security mechanisms such as two-factor authentication, allowing them to change passwords and lock victims out of their accounts. This hacking strategy enables cybercriminals to avoid detection by Meta's security defences, allowing them to either steal money or scam new victims through the hijacked accounts. Additional account takeover attacks, including the 'Capra' operation on betting platforms and scams targeting Roblox gaming users, have been noted. These scams primarily aim to phish for victims' credentials. Also reported was a two-year-long data harvesting campaign in the Middle East that used about 3,500 fake real estate domains to collate information about buyers and sellers, before selling this data on underground forums.

AI and machine learning play crucial roles in cybersecurity, with the adaptive nature of these technologies aiding in real-time detection and prevention of sophisticated cyber threats that are evolving at an accelerated pace. BlackBerry, with a robust patent portfolio in AI and ML, has emerged as a leading entity in the cybersecurity space, primarily due to its emphasis on enhancing the performance of predictive AI tools. Recent independent tests showed that BlackBerry's Cylance ENDPOINT® successfully blocks 98.9% of threats by proactively predicting malware behavior, even in new variants, bolstering the company's preventive approach. The effectiveness of machine learning models is strongly related to their ability to detect and respond to threats in real-time. In this context, Temporal Predictive Advantage (TPA) is a key metric evaluating a model's long-term performance. BlackBerry's Cylance model showcases a commendable temporal predictive advantage, maintaining high detection rates even without frequent model updates for up to 18 months. The company's latest AI model, built on vast, varied datasets with extensive malware behavior insights, has outperformed all previous versions, particularly regarding temporal predictive advantage and speed for distributed inference. BlackBerry's Cylance AI has reportedly helped customers halt 36% more malware, 12 times faster and with 20 times less overhead than competitors, highlighting the efficacy of utilizing AI in predictive cyber threat detection and prevention.

The Information Commissioner's Office (ICO), UK's data regulator, fined three companies for sending unsolicited marketing text messages to people registered with the Telephone Preference Service (TPS). Digivo Media Ltd, trading as Rid My Debt, was fined £50,000 ($61,110) for sending 415,000 texts over a period of five and a half months ending in September 2021. MCP Online faced a penalty of £55,000 ($67,221) for making an unspecified number of unsolicited financial services calls about pensions. Argentum Data Solutions (ADS), a data processing and hosting provider, was handed the biggest fine of £65,000 ($79,443). The company had sent and allowed third parties to send over 2.3 million direct marketing texts. The ICO issued 34 fines in 2022, primarily for breaking electronic marketing rules, with fines bringing in £16 million ($19.5 million) to the Treasury. The head of investigations at the ICO, Andy Curry, stated that these companies use predatory marketing communications to target people who may be most at risk of harm.

Cybersecurity researchers have discovered a spyware, called 'CanesSpy', integrated within modified versions of the WhatsApp Android application. The fraudulent versions of WhatsApp are predominantly circulated through untrustworthy websites and Telegram channels, with most users being Arabic and Azerbaijani speakers. CanesSpy activates when a victim's phone is turned on or starts charging, subsequently dispatching device information, including IMEI, phone number, mobile country code and mobile network code to a command-and-control (C2) server. CanesSpy, believed to be developed by an Arabic speaker, also relays the victim's contact and account details every five minutes and can transmit a range of data from a victim's device on command by the C2 server. Researchers believe the spyware has been active since mid-August 2023, primarily targeting users in Saudi Arabia, Yemen, Turkey, Egypt, and Azerbaijan. The discovery highlights the ongoing exploitation of altered versions of messaging apps to distribute malware to unwary users. Users are prompted to be cautious while downloading apps from third-party platforms due to their inadequate screening processes and failure to remove malware-laden applications.

A total of 48 malicious npm packages, which can deploy a reverse shell on compromised systems, were discovered in the npm repository. The illegitimate packages contained obfuscated JavaScript designed to implement a reverse shell upon installation of the package. These malicious packages were published by an npm user named hktalent. As of report, there are still 39 packages that are available for download. The attack is triggered after the installation of the package through an install hook in the package.json that calls a JavaScript code which establishes a reverse shell. These findings closely follow reports revealing two packages published to the Python Package Index (PyPI) contained malicious code designed to illicitly garner Telegram Desktop application data and system information. The scenarios highlight the increasing threat actor interest in open-source environments, resulting in impactful supply chain attacks that can target several downstream customers simultaneously. The malicious npm packages utilized several obfuscation techniques to avoid detection through static analysis or visual inspection.

Founder and former CEO of the crypto exchange, FTX, Sam Bankman-Fried, has been found guilty of seven criminal charges relating to corporate malfeasance and fraud. The verdicts were reached in just four hours. This verdict follows the bankruptcy of FTX in November 2022, which once had a valuation of $32 billion. Investigations revealed a failure of corporate controls within FTX and a connected trading firm, Alameda Research. Charges arose from evidence that FTX had shifted its funds to Alameda, making financial losses which left investors unable to access their own funds. The mismanagement led to the collapse of the exchange. Bankman-Fried was quickly extradited from the Bahamas to face several lawsuits, including a case alleging stakeholder fraud of up to $10 billion. This case culminated in the criminal convictions. A key witness was Bankman-Fried's former partner, Caroline Ellison, who testified that he directed her to move funds from FTX to Alameda. The combined maximum sentences for the charges could total 110 years imprisonment. Sentencing is set for March 28, 2024, but it is expected that Bankman-Fried will appeal. Aside from this case, Bankman-Fried faces several other cases expected to run over a number of years, putting FTX in the spotlight as a key example of corporate incompetency within the crypto industry.

Atlassian is urging administrators to patch a critical Confluence security flaw that could be exploited in data destruction attacks on Internet-exposed and unpatched instances. The flaw, tracked as CVE-2023-22518, is an improper authorization vulnerability with a severity rating of 9.1/10, affecting all Confluence Data Center and Server software versions. While there have been no reports of active exploits, Atlassian found a publicly available exploit for the vulnerability, heightening the risk for publicly accessible instances. The exploit can be used to wipe data on the impacted servers, but not to steal data. Atlassian Cloud sites accessed through an atlassian.net domain are not at risk. In addition to suggesting immediate upgrades, Atlassian provided a set of potential mitigation actions for those who cannot immediately patch their Confluence instances; however, these are not considered long-term solutions and patching remains crucial. Last month, multiple government agencies and Microsoft warned about an actively exploited privilege escalation flaw in Atlassian Confluence servers, which has been used as a zero-day by a Chinese-linked threat group since September 2023. Given their wide use, securing Confluence servers is critical in preventing ransomware, Linux botnet malware, and crypto miners attacks.

Ace Hardware, a prominent retailer-owned hardware store cooperative with over 5,700 shops globally, confirmed facing a major cyberattack that crippled its IT systems. The attack has severely disrupted key operating systems including ACENET, Warehouse Management Systems, the Ace Retailer Mobile Assistant, Hot Sheets, Invoices, Ace Rewards, and the Care Center's phone system. The company’s order processing systems are also affected, preventing stores and customers from placing new orders while the company does not yet have a timeline for restoration. Ace Hardware's president and CEO, John Venhuizen stated that 1,202 devices including 196 servers were impacted, but as of the recent update, 51% of the servers have been restored. While the company is working towards restoration, it has warned its retailers of threat actors attempting to exploit the situation through phishing emails and calls, asking them to redirect payments or hand over account credentials. At this stage, the full extent of the cyberattack, including the possibility of data theft, is uncertain.

A newly discovered macOS malware named 'KandyKorn' is being attributed to the North Korean Lazarus Group. The malware targets engineers in the cryptocurrency sector. The attackers impersonate cryptocurrency community members on Discord channels to distribute Python-based modules that initiate the KandyKorn infection process. Elastic Security identified the similarity of the attacks to previous Lazarus campaigns based on the methodologies employed, network infrastructures, code-signing certificates, and custom detection rules used by Lazarus. The malware's operating process involves a series of multi-stage downloads and payloads before it finally establishes a connection with a command and control (C2) server and loads KandyKorn malware. KandyKorn malware has multiple capabilities including data retrieval, directory listing, file upload/download, secure deletion, process termination, and command execution, all functions that make it particularly stealthy and dangerous. It is important to note that while Lazarus primarily targets the cryptocurrency sector out of financial motivation, KandyKorn's existence attests to the group's ability to craft sophisticated and well-concealed malware specifically designed for Apple computers.

The BlackCat ransomware gang claimed they breached the network of healthcare giant Henry Schein, stealing dozens of terabytes of data, including payroll and shareholder information. The company had earlier disclosed that it took some systems offline to mitigate a cyberattack that impacted its manufacturing and distribution businesses. Some of Henry Schein's business operations were disrupted due to the attack, but its practice management software "Henry Schein One" was unaffected. Law enforcement authorities have been informed of the incident and external cybersecurity and forensics experts have been hired to investigate. Following their disclosure of the cyberattack, the healthcare services provider advised customers to place orders through their Henry Schein representative or dedicated telesales phone numbers for security. The BlackCat ransomware group added Henry Schein to its dark web leak site, alleging they had breached the company's network and stole 35 TB of sensitive files. The group claimed they encrypted the company's devices another time after seeminglily unsuccessful negotiations. Henry Schein's entry on BlackCat's data leak site was later deleted, leading to speculation that the company may have restarted negotiations or paid ransom. The BlackCat ransomware operation, likely a rebrand of DarkSide/BlackMatter which was originally known for its infiltration of Colonial Pipeline, began in November 2021. The FBI linked the group to successful attacks on more than 60 organizations worldwide between November 2021 and March 2022.