Daily Brief

State-sponsored threat actors from North Korea have been found to be targeting blockchain engineers of an unspecified cryptocurrency exchange platform with a novel macOS malware named KANDYKORN. The victims were lured into downloading and running a ZIP archive containing malicious code under the pretense of installing an arbitrage bot. The malware is an advanced system with several capabilities to monitor, interact with, and avoid detection, primarily leveraging a process termed reflective loading. The activity has similarities with the Lazarus Group, a notorious North Korean hacking collective, and has been traced back to April 2023. The attack begins with a Python script, goes through a five-stage process, and ends with the execution of KANDYKORN. This comes alongside the re-emergence of Kimsuky, another North Korean hacking outfit, with an updated variant of an Android spyware called FastViewer. The researchers have warned that this activity demonstrates North Korea's continued focus on the crypto-industry with the intention of stealing cryptocurrency to bypass international sanctions.

Cyber attacks on industrial control systems are increasingly common, which can result in operational delays, shutdowns, and financial losses for businesses. Increased systems connectivity often introduces cybersecurity blind spots, exposing sensitive data to unauthorized access and disruption. Maintaining security requires detailed visibility of Operational Technology assets as well as their protection across extended networks. Automated threat detection can play a crucial role in maintaining constant vigilance against cyber threats. A webinar hosted by the UK soft drinks producer Britvic on November 8 tackles strategies to overcome security challenges and discuss evolving threats to OT security while offering management advice on risks from IoT connectivity and automation. Registration for the webinar, sponsored by Claroty, is now open.

The Turla hacking group, believed to be connected to the Russian Federal Security Service (FSB), has been observed using a highly evolved version of the Kazuar backdoor. Security researchers from Palo Alto Networks Unit 42, who have named the group Pensive Ursa, are tracking the hackers' activities. The enhanced Kazuar displays advanced anti-analysis capabilities, enabling it to operate more stealthily, highlighting a continued evolution of Turla's attack methods towards increased sophistication and subterfuge. Kazuar first emerged in 2017 and is a .NET-based implant that can interact clandestinely with compromised systems and exfiltrate data. In January 2021, links between Kazuar and Sunburst, another backdoor used in the SolarWinds hack, were discovered. The backdoor’s functionality has been significantly expanded, from 26 commands in 2017 to 45 in the updated version. It now features comprehensive system profiling, data collection, credential theft, file manipulation capabilities, and autonomous task scheduling. Communication with command-and-control servers uses HTTP. The Turla group's new tactics include a multithreading model for Kazuar, enabling it to receive and execute commands independently. The backdoor can function as a proxy, establishing communication between different Kazuar instances, and incorporates anti-analysis functionalities. The development coincides with Kaspersky's report that several Russian state and industrial organizations have been targeted with a custom Go-based backdoor as part of spear-phishing campaign starting from June 2023. The threat actor behind this operation currently remains unidentified.

Several Indian politicians and media figures, all from opposition parties, have claimed Apple warned them that their accounts are potentially targeted by state-sponsored cyber attackers. MP Mahua Moitra, one of the targets, shared the warning email from Apple publicly and associated the possible attackers with Indian government, alleging that they are trying to compromise her iPhone. This is not the first instance where accusations have been made against the Indian government; in 2021, phone numbers of Indian journalists and politicians were reportedly found on a list targeted by the "Pegasus" spyware, created by NSO Group. India's tech minister Ashwini Vaishnaw questioned the validity of Apple's warnings, stating they are "vague and non-specific," and could be based on incomplete or imperfect information. Apple's descriptions of its state-sponsored threat alerts do admit that they could potentially be false alarms. Critics argue that the Indian government's alleged involvement aligns with an observed trend of intolerance towards dissenting voices and an "autocratic drift," including frequent internet shutdowns. However, it's possible that foreign states with tensions with India could be the source of the attacks. Apple deliberately does not disclose any information regarding the source of these potential cyber threats and has not commented on these specific notifications.

F5 has issued an alert regarding active exploitation of a critical security flaw in BIG-IP, tracked as CVE-2023-46747 with a CVSS score of 9.8. The vulnerability enables unauthenticated attackers with network access to the BIG-IP system to execute arbitrary system commands. The issue impacts all versions of the software and a proof-of-concept exploit has been released by ProjectDiscovery. F5 also reported threat actors exploiting CVE-2023-46748, an authenticated SQL injection vulnerability in BIG-IP configuration utility with a CVSS score of 8.8. Cyber attackers are using the two vulnerabilities in combination to execute arbitrary system commands. F5 advises users looking for indications of compromise to check designated log files for suspicious entries. The Shadowserver Foundation reported detecting attempts to exploit F5 BIG-IP CVE-2023-46747 since October 30, 2023, urging users to quickly apply the necessary fixes.

The US-led Counter Ransomware Initiative (CRI) summit aims to secure an agreement among 48 countries not to pay ransom to cybercriminals. During this summit, CRI plans to leverage artificial intelligence to trace cryptocurrency ransom payments and identify perpetrators. Aside from tracking illicit fund flows, CRI countries will improve their information-sharing capabilities, with Lithuania developing one platform and another being created jointly by Israel and United Arab Emirates. The summit attendees will sign a policy statement declaring that governments will not pay ransom money, although the policy does not seem to cover private enterprises. The US Treasury will share a list of cryptocurrency wallets used to move ransom payments and CRI countries will assist others attacked by ransomware. The US is the most targeted by ransomware, accounting for 46% of all global attacks. Charles Carmakal, Mandiant's chief technology officer, asserts that banning ransom payments is a valuable step, however more needs to be done on criminal deterrence through arrests, and victims need to receive better support in the aftermath of attacks.

Citrix Bleed, a critical information-disclosure bug affecting NetScaler ADC and NetScaler Gateway, is now undergoing "mass exploitation," with at least 2 ransomware syndicates involved. As of October 30, Shadowserver identified over 5,000 vulnerable servers on the public internet while GreyNoise observed 137 unique IP addresses attempting to exploit this vulnerability. Citrix initially patched the flaw (CVE-2023-4966) on October 10, but the patch does not invalidate copied session tokens, allowing hackers to impersonate authenticated users even if the vulnerability has been patched. Multiple sectors, including the tech industry and government agencies globally, are being exploited by four distinct groups being tracked by Mandiant. Security firm Assetnote's publication of a technical analysis of the bug, demonstrating how it could be used to steal session tokens, has led to an increase in scanning activity for vulnerable endpoints. The US government's Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, but still lists the vulnerability under the "used in ransomware campaigns" as "unknown." Citrix has not commented when asked if the bug has been reported being exploited by ransomware groups.

The cybersecurity company Avast confirmed that its antivirus software development kit (SDK) was erroneously flagging a Google app as malware on Huawei, Vivo, and Honor smartphones. Users of affected devices were alerted to delete the Google app due to risks such as secretly sending SMS messages, downloading and installing other apps, or stealing personal data. Some notifications even marked the Google app as a trojan, capable of providing remote access to user devices for attackers intending to install malware or steal data. This false detection was reported on multiple forums such as Google's support forum, Reddit, Huawei's forum, and more. The issue only affected users outside China and a small number of Honor and Vivo customers. Avast promptly addressed and resolved the issue on October 30. Google urged users to contact the device manufacturer for further information and affirmed that Google Play is the only official platform for downloading Google’s core apps for Android.

Software developer Simon Dankelmann has created an Android app that can carry out Bluetooth spam attacks, similar to those previously conducted via the Flipper Zero hardware, a device used for software-defined radio applications. The 'Bluetooth-LE-Spam' app is able to generate BLE (Bluetooth Low Energy) packages mimicking other devices to send spam alerts to nearby Windows and Android users. The app is still in the early stages of development, although initial tests confirmed it can broadcast connection requests as frequently as one per second, targeting Android's 'Fast Pair' feature and Windows' 'Swift Pair' feature. Limitations in Android's software development kit may affect the app’s efficiency compared to Flipper Zero, resulting in poor reception because developers have limited control over the data being broadcast relative to the transmission power level. The app's broadcasting function can also cause Bluetooth-enabled devices like mice and keyboards to become unresponsive, which could be utilized for "denial of service" attacks. Currently, the app represents more of a potential for disruption rather than a serious security threat to users. Devices targeted can stop spam notifications by disabling the relevant setting. BleepingComputer has advised against testing the app on primary devices due to potential safety risks as no official guarantee has been provided that the project is safe.

Two American nationals, Daniel Abayev and Peter Leyman, and two Russian nationals, Aleksandr Derebenetc and Kirill Shipulin, have been charged with hacking the taxi dispatch system at John F. Kennedy International Airport in New York in order to sell front-of-line positions to taxi drivers. The alleged hacking occurred between September 2019 and September 2021, and the American duo pleaded guilty in early October. The scheme exploited the demand of taxi drivers for profitable airport fares and aimed to alleviate drivers' financial incentive to avoid waiting in lines. The alleged hackers made efforts to gain access to the dispatch system, such as, bribing personnel to insert a malware-containing flash drive into system-connected computers, unauthorized access via Wi-Fi connections, and stealing system-connected computer tablets. The group purportedly offered queue-jumps for $10 and waived fees for drivers who provided referrals, allegedly enabling as many as 1,000 queue-skipping trips per day. The dispatch system was accessed multiple times, resulting in substantial earnings for the group; the accused Russians earned over $100,000 from the scheme, sent to them under the guise of "payment for software development" or "payment for services rendered." The American defendants face up to five years in prison and the Russian defendants could face a maximum sentence of ten years if apprehended.

The British Library experienced a significant IT outage impacting its website and various services following a cyber incident on October 28. The outage affected other services, including phone lines and on-site library services in London and Yorkshire. However, facilities such as Reading Rooms remained operational. While physical items requested before the attack are available on site, there is limited manual ordering of collections in London, no access to digital collections or digital catalog, and exhibition tickets can be only bought onsite using cash. No details have been provided about the type of attack, how malicious actors breached the library’s systems, or whether personal or financial information was compromised during the attack. The National Cyber Security Centre (NCSC) and other cybersecurity specialists are working with the library to investigate the incident. As one of the world’s most extensive collection libraries, the British Library hosts over 150 million items and receives over 11 million online visitors annually. Over 16,000 people use its collections daily, both on-site and online.

Australian software company, Atlassian, warns of a critical security flaw in Confluence Data Center and Confluence Server software that could lead to data loss if successfully exploited. The vulnerability, described as an improper authorization issue and tracked as CVE-2023-22518, severely risks publicly accessible Confluence instances. The flaw can be used by threat actors to destroy data on affected servers, but does not affect confidentiality as it cannot be utilized to extract instance data. Cloud services accessed via an atlassian.net domain are safe from this vulnerability. Atlassian patched the critical CVE-2023-22518 vulnerability in Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1, urging admins to back up unpatched instances and block Internet access until upgrades are implemented. CISA, the FBI, and MS-ISAC previously warned to patch Atlassian Confluence servers against an actively exploited privilege escalation flaw tracked as CVE-2023-22515. The Chinese-backed Storm-0062 (aka DarkShadow or Oro0lxy) threat group had reportedly exploited this flaw as a zero-day since at least September 14, 2023.

Ace Hardware, a US-based hardware cooperative, suffered a severe cyberattack on Sunday, impacting majority of its IT systems and hindering many key operations. The attack led to disruptions in the company's warehouse management systems, retailer mobile assistant system, invoicing system, and customer reward and care center's phone system. While the type of attack is yet to be specified, digital forensic experts have been called in to aid in the restoration process. Although the company's online orders and deliveries were suspended, the organization claimed that in-store payments and credit card processing were unaffected. Warehouse employees and other staff are reportedly concerned about pay delays following the cyber attack. The company has recently reported a decrease in revenues, with a 5.8% step-down compared to the same quarter in the previous year.

Representatives from 40 countries will commit to discontinuing ransom payments to cybercriminal gangs at the third annual International Counter-Ransomware Initiative summit. The move comes in response to rising global ransomware threats, with the United States bearing the brunt of these attacks, accounting for roughly 46% of incidents worldwide. The summit will explore strategies to cut off funding for ransomware operations, aiming to undermine a critical driver of the industry: the profitable nature of such attacks. Despite 48 countries, the European Union, and Interpol participating in the summit, it remains unclear whether all attendees will agree to the pledge. Ransomware incidents saw a peak in September, with North America being the most targeted region. Over the last two years, numerous governments have suffered severe disruptions due to ransomware attacks. The summit follows the inaugural event organized by the White House National Security Council in October 2021, during which 31 countries pledged to propagate efforts to disrupt ransomware groups' abuse of cryptocurrency.

Samsung has introduced a new security feature called 'Auto Blocker' with the One UI 6 update which provides increased malware protection on Galaxy devices. The opt-in feature prevents the sideloading of apps from sources outside the Galaxy Store and Google Play in an attempt to shield users from social engineering attacks. For users who need to install apps from unofficial channels, Auto Blocker can be deactivated and the feature also includes app security checks powered by McAfee. Auto Blocker blocks unauthorized commands and software installations via the USB port, which can secure users when they charge their devices at public stations. Alongside the launch of One UI 6, Samsung has also improved Message Guard to offer support for popular third-party messaging apps including Messenger, Telegram, KakaoTalk, and WhatsApp. Initially, only the Galaxy S23, S23+, and S23 Ultra have received the update which includes Auto Blocker and the updated Message Guard, but more devices are expected to receive it soon. Users of compatible devices can activate the protection feature through the settings menu and are advised to also use a third-party mobile security solution for greater security.