Daily Brief

Cisco has issued a warning about a zero-day flaw in its IOS XE software that has been used by unidentified threat actors to deploy a malicious Lua-based implant on susceptible devices. The issue, coded as CVE-2023-20273, relates to a privilege escalation flaw in the web UI feature; it is said to have been used alongside another vulnerability (CVE-2023-20198) as part of an exploit chain. The attacker initially exploits CVE-2023-20198 to gain access and create a user-password combination, following which a new local user is used to elevate privilege to root and write the malware to the system. A fix addressing both vulnerabilities has been identified and will be circulated from October 22, 2023; until then, users are advised to disable the HTTP server feature. These vulnerabilities could potentially allow attackers to gain full remote control over the affected system, monitor network traffic, inject and redirect network traffic, and establish a persistent area within the network. As per data from Censys and LeakIX, around 41,000 Cisco devices running the vulnerable IOS XE software are estimated to have been compromised by threat actors using the two security flaws. By October 19, the number of compromised devices dropped to 36,541. The primary targets of this vulnerability are not large corporations but smaller entities and individuals.

Cisco revealed a new, critical zero-day flaw, CVE-2023-20273, that has been actively utilised to deploy harmful implants on compromised IOS XE devices. This exploit comes close after the declaration of another zero-day, CVE-2023-20198. Fixes for both viruses are touted to be available to customers via Cisco's Software Download Centre as of October 22nd. Malicious actors have actively exploited these flaws since at least Sep. 18, accessing IOS XE devices and creating 'cisco_tac_admin' and 'cisco_support'. CVE-2023-20273 in particular is used by attackers to obtain root access, gain complete control over Cisco IOS XE devices, and deploy malicious implants that enable the execution of arbitrary commands on the system. Networking devices that run Cisco IOS XE, which includes enterprise switches, access points, wireless controllers, as well as various routers, are vulnerable. An estimated 146K of these systems are openly exposed to such attacks. While patches are not yet available, administrators can block these attacks by disabling the vulnerable HTTP server feature on all internet-facing systems. Cisco also recommends admins to check for suspicious or new user accounts as potential signs of associated malicious activity. This follows another warning from Cisco last month to patch another zero-day bug, CVE-2023-20109, in their IOS and IOS XE software that was targeted by attackers.

Sandu Diaconu, the Moldovan who allegedly ran the compromised-credential marketplace E-Root, has been extradited from the UK to the US to face trial. Diaconu and another redacted individual alleged operated E-Root, selling access to compromised servers globally from 2015 to 2020. The platform was used to facilitate illegal activities such as ransomware attacks, fraudulent wire transfers and tax fraud. US authorities uncovered over 350,000 compromised credentials listed for sale on E-Root, with victims including individuals and companies in the US and globally. One of the victims was a local government agency in Tampa, Florida. The site used the online payment system Perfect Money to handle transactions and operated a sister website to convert Bitcoin into Perfect Money, to conceal identities. Diaconu and the other unnamed individual associated with E-Root are facing charges including conspiracy to commit access device and computer fraud, wire fraud conspiracy, money laundering, and more. If found guilty, Diaconu could face up to 20 years in prison. E-Root was taken down in 2020 through a joint effort by US and UK law enforcement, marking another success in the worldwide crackdown on cybercrime.

Okta disclosed a breach of its support system using stolen credentials, which enabled the threat actor to view customer files uploaded for recent support cases. Chief Security Officer, David Bradbury, clarified that the breach did not impact Okta's production service or Auth0/CIC case management system. Although no specifics on exposed customer information have been shared, the breached system stored HTTP Archive (HAR) files, which could reveal sensitive data like cookies and session tokens used for account access. The company has revoked session tokens embedded in shared HAR files, advised customers to sanitize their files before sharing and shared indicators of compromise observed. Okta has previously experienced multiple security incidents, such as an admin console breach by Lapsus$, OTP theft by the Scatter Swine group, and source code thefts from both Okta and its owned service provider Auth0. Customers potentially impacted by this recent security incident have been notified, while those not receiving an alert are not affected.

A multi-national law enforcement operation involving authorities from eleven nations has resulted in the arrest of a Ragnar Locker ransomware gang developer. Six additional suspects associated with the ransomware gang were located and heard across France, Spain, Latvia, and the Czech Republic across these raids. The operation also involved raids in multiple locations believed to be connected to other suspects, resulting in nine servers being taken down in the Netherlands, Germany, and Sweden. This is the third operation against the Ragnar Locker ransomware gang, following actions in Ukraine and Canada. The joint action also enabled the seizure of cryptocurrency and the ransomware operation's Tor negotiation and data leak sites. Ragnar Locker, which emerged in late December 2019, targets enterprise victims worldwide and eschews the common Ransomware-as-a-Service model, favoring targeted network breaches via collaboration with external penetration testers. Having attacked 168 international companies since 2020, including the likes of ADATA, Dassault Falcon, and Capcom, the FBI states this ransomware has been deployed on at least 52 organizations' networks across various critical infrastructure sectors in the United States since April 2020.

In an international operation involving multiple countries, a developer connected to the Ragnar Locker ransomware operation was detained in France, and the operation's dark web sites were seized. The operation culminated in a week-long action from 16-20 October, with raids in the Czech Republic, Spain, Latvia and France, and the seizure of nine servers in the Netherlands, Germany and Sweden. Eurojust opened the case in May 2021, facilitating judicial cooperation between the participating countries. Throughout the action, a coordination center was established to enable rapid cooperation. Cryptocurrency seizures also occurred as part of the operation, and the ransomware group's Tor negotiation and data leak sites were seized. This represents the third action taken against the Ragnar Locker ransomware gang; previous operations led to the arrest of suspects in Ukraine and Canada. Not operating as a Ransomware-as-a-Service but instead semi-private, Ragnar Locker has attacked 168 international companies since 2020, including high-profile entities such as ADATA, Dassault Falcon, and Capcom. The FBI reports that the ransomware has been deployed on the networks of at least 52 organizations within numerous critical infrastructure sectors in the U.S. since April 2020.

Researchers have identified three serious remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product. These flaws could allow remote attackers to execute code with system privileges. The flaws were found and reported through Trend Micro’s Zero Day Initiative (ZDI) on June 22. In total, eight vulnerabilities were found in the SolarWinds solution; three of these are considered critical in severity. SolarWinds has addressed all vulnerabilities highlighted in the report and a patch is available in version 2023.2.1 of its Access Rights Manager. Despite the researchers' assessments, SolarWinds did not classify any vulnerabilities as critical, with the highest rating given being 8.8 for high-severity issues.

Google Ads is being exploited in a malvertising campaign by threat actors; they direct users who are searching for popular software such as Notepad++ and PDF converters, to fake landing pages to distribute next-stage payloads. Upon clicking the bogus ads on the search results page, bots and other unnecessary IP addresses are filtered out by showcasing a decoy webpage. Victims of interest are then redirected to a replica software advertisement site while silently fingerprinting their system. Users deemed not of value are directed to the real Notepad++ website, while potential targets are assigned unique, time-sensitive IDs for tracking and download purposes; the final payload is malware that establishes a link to a custom port on a remote domain. A similar campaign has also been detected, targeting users searching for the KeePass password manager with harmful ads, redirecting victims to a domain using Punycode. Useful evasion techniques are bypassing advertisement verification checks enabling threat actors to successfully target particular victims. This sophistication signifies an increasing sophistication in the malvertising field. Several threat actors, including TA569, RogueRaticate, ZPHP, ClearFake, and EtherHiding, are exploiting themes related to fake browser updates to spread malware such as Cobalt Strike, loaders, stealers, and remote access trojans.

Kwik Trip, a US convenience store chain, has confirmed that a cyberattack has been causing ongoing outages to its internal IT systems since October 9, 2023. The attack has resulted in widespread IT system disruptions and has been affecting the company's Rewards program, support, phone, and email systems. The Kwik Rewards loyalty program resumed at select stores and will gradually be reinstated at all locations. Kwik Trip has yet to provide details about the customer personal information stored in affected systems, but has claimed they have found no evidence of attackers accessing customer payment details. The company has mobilised third-party cybersecurity experts to assist in the mitigation efforts and investigate the nature and extent of the breach. The convenience store chain operates over 800 stores and gas stations across the north-central region of the US and has a workforce of over 35,000 employees.

Vietnamese cyber actors are suspected to be behind a series of attacks using DarkGate commodity malware, primarily targeting entities in the UK, the US, and India; Ducktail stealer is another malware associated with these actors. Cybersecurity firm WithSecure reports that there has been an increase in campaigns using the DarkGate malware, driven by the developer's decision to rent the malware to other threat actors. Overlapping tools, campaigns, and malware indicate the existence of an active cybercrime marketplace where threat actors can obtain and utilize multiple different tools for a single purpose. The tactics, techniques, and procedures utilized by the Vietnamese actors include delivering DarkGate through AutoIt scripts fetched via phishing emails or messages on Skype or Microsoft Teams. The initial infection vector in a recent attack was a LinkedIn message that redirected the receiver to a file on Google Drive, a method commonly used by Ducktail actors. DarkGate has the capabilities of a remote access trojan (RAT) and can steal information and establish a backdoor for accessing compromised hosts. Multiple tools used in the same campaign could potentially obscure the true extent of the activity from purely malware-based analysis.

Cybersecurity firm WithSecure has observed a threat actor utilizing fake LinkedIn posts and messages about a position at hardware maker Corsair to distribute info-stealing malwares such as DarkGate and RedLine. The threat actor is associated with Vietnamese cybercriminal groups responsible for the 'Ducktail' campaigns, which aim to steal Facebook business accounts for malvertising or resale. Since its creator started selling access to DarkGate in June 2023, the malware has been used in phishing attacks via Microsoft Teams and has been spread through compromised Skype accounts. Main targets of these malicious activities are users located in the U.S., U.K., and India, particularly those in social media management positions with likely access to Facebook business accounts. Victims are tricked into downloading a malicious file containing a VBS script from a URL that redirects to Google Drive or Dropbox. WithSecure's analysis links these activities to RedLine stealer distribution, as the malware attempts to uninstall security products from the compromised system 30 seconds after installation. To help organizations protect against this threat, WithSecure has published a list of indicators of compromise, including IP addresses, URLs, file metadata, and names of archives.

Cybersecurity professionals need to fully understand the role of cybersecurity in the evolution of Internet of Things (IoT) technology to realize its full potential. The security of IoT needs to be integrated into the design and development stages to address its related risks and vulnerabilities. IoT adoption has not scaled quickly due to the traditional “build it first and cyber security will follow” mentality, causing hesitation among industries due to the cost of implementing an unsecure system. Cyber security deficiencies were a major concern for industries adopting IoT, with 40% of firms saying they would raise their IoT budget if cyber security issues were solved. A unified decision-making structure, similar to the relationship created between applications development and design teams and cyber security operations, is recommended to accelerate IoT adoption. Early identification of potential security gaps and vulnerabilities can be achieved through penetration testing and attack surface management. The market value for IoT suppliers could reach anywhere between $625 billion to $750 billion if security is managed effectively and further leads to increase in spending.

A new information stealer named ExelaStealer is the latest entrant in the malware landscape, designed to capture sensitive data from compromised Windows systems. ExelaStealer is an open-source infostealer with paid customizations available. It has capabilities to siphon passwords, Discord tokens, credit cards, cookies and session data, keystrokes, screenshots, and clipboard content. The malware is offered for sale via cybercrime forums and a dedicated Telegram channel. It costs $20 a month, $45 for three months, or $120 for a lifetime license, making it an affordable tool for entry-level hackers. The malware is currently only compiled and packaged on a Windows-based system using a builder Python script. Evidence suggests that it is being distributed via an executable that masquerades as a PDF document. Against, the backdrop of rising cybercrime, U.S. cybersecurity and intelligence agencies recently released a joint advisory outlining the phishing techniques used by malicious actors to obtain login credentials and deploy malware.

The US Department of Justice (DoJ) has announced the seizure of 17 website domains used by North Korean IT workers in a scheme to defraud international businesses, evade sanctions, and fund North Korea's missile program. The DoJ reported that around $1.5 million revenue was confiscated from the scammers between October 2022 and January 2023. According to court documents, these dispatched workers live primarily in China and Russia and deceive foreign companies, including those in the US, into hiring them using fake identities—generating illicit revenues of millions of dollars per year. Authorities have consistently warned about North Korea's reliance on highly-skilled IT workers, who use aliases and front companies to secure jobs in tech and virtual currency sectors. A significant portion of their wages goes back to the sanctioned North Korean state. The seized website domains were falsely presented as legitimate, US-based IT firms. In reality, the accused were working for China-based Yanbian Silverstar Network Technology and Russia-based Volasys Silver Star—both previously sanctioned by the Department of the Treasury. The FBI issued an advisory revealing how these IT workers cheated during coding tests and threatened to release proprietary source codes if not paid adequately. Authorities urged businesses to be cautious when hiring and granting access to their IT systems.

Over 40,000 Cisco devices operating on the IOS XE system have been compromised due to a recently discovered severe vulnerability called CVE-2023-20198. There is currently no patch or workaround for this issue, and Cisco has recommended disabling the HTTP Server feature on all internet-facing systems. Initial estimates of affected devices were at approximately 10,000, with figures growing as further internet scans were conducted. Research teams have located thousands of infected hosts across the United States, the Philippines, and Chile. The compromised devices were found primarily in telecommunication providers such as Comcast, Verizon, Cox Communications, Frontier, AT&T, and Spirit, along with various medical centers, universities, sheriff’s offices, school districts, convenience stores, banks, hospitals, and government entities. A malicious implant used in the attacks does not persist after device reboot, but maintains active high-privilege accounts providing full administrator access to the device. Cisco is actively investigating the issue and will offer additional details and a possible fix in due course.