Daily Brief

Between July and September, attackers utilized compromised Skype accounts to deliver DarkGate malware via messages containing VBA loader script attachments. The cybercriminals were able to infiltrate the victims' Skype accounts, take control of existing conversation threads, and suitably name the malware files to match the chat context. The exact method of the initial account compromise remains unclear, but Trend Micro conjectures it may be due to leaked credentials on underground forums or a prior compromise of the parent entity. Trend Micro also noticed attempts to deliver the same DarkGate payload through Microsoft Teams in organizations that allow external user messages. The ambitions of the attackers range from complete threat environment penetration to various threats including ransomware and cryptomining, depending on the specific DarkGate variant used. The increased usage of DarkGate malware for initial access into corporate networks since the shutdown of the Qakbot botnet in August underscores the growing influence of this malware-as-a-service operation. While the delivery methods vary, from phishing to malvertising, the surge in DarkGate activity demonstrates the threat actors' determination to adapt their tactics despite disruptions and challenges.

Ubuntu, the popular Linux distribution, has withdrawn its Desktop release 23.10 over hate speech embedded in its Ukrainian translations. The company identified a malicious contributor as the source of the anti-Semitic, homophobic, and xenophobic slurs that were injected using a third-party tool existing outside the Ubuntu Archive. Ubuntu promptly took down the affected images three hours after the release, stating that the issue solely impacts translations shown to users during installation through the Live CD environment in-memory only, without any propagation to the disk. Users upgrading from a previous Ubuntu release are, as a result, not affected. The specific malicious strings were reported to have been appended toward the end of the translations file by a user by the name of "Danilo Negrilo," making them harder to detect. While this incident was restricted to translations, it has raised concerns among users about potential malware attacks, given the dependencies in future Ubuntu releases. Ubuntu has restored the Ukrainian translations to their pre-incident state and is currently conducting a broader audit before making it officially accessible again. For the moment, users can download Ubuntu Desktop 23.10 using the unaffected Legacy installer ISO or upgrade from a previously supported release.

Ubuntu, the most popular Linux distribution, has temporarily taken down its Desktop release 23.10 due to hate speech detected in its Ukrainian language translations. The hate language contained anti-Semitic, homophobic, and xenophobic slurs introduced via a third-party tool external to the Ubuntu Archive. The offensive translations were attributed to a malicious contributor. The problematic release was removed approximately three hours after the issue was flagged. The incident purportedly only affects users who download and install the system afresh, and not those who upgrade from an earlier version. Concerns have been raised about the potential for malware to be introduced into future Ubuntu releases in a similar manner. However, Ubuntu's development team argues the complexities of translations make them more difficult to monitor than code dependencies, which undergo regular security audits. Ubuntu has now revived the Ukrainian translations to their state before the tampering. A broader audit is underway before the system is made officially available again. Meanwhile, users are advised to download the unaffected Ubuntu Desktop Legacy ISO.

Microsoft is planning to phase out the NT LAN Manager (NTLM) in Windows 11 to enhance security through stronger authentication. The company is working on strengthening the Kerberos authentication protocol, which has been used as a default since 2000. Microsoft is introducing two new features to support this change: Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos. NTLM, a suite of security protocols aimed at providing authentication, integrity, and confidentiality to users, has been found to be vulnerable to relay attacks, therefore making it a less secure option. Microsoft is also addressing hard-coded NTLM instances in preparation for the migration to disable NTLM in Windows 11 and encourage the use of Kerberos instead. The changes will be enabled by default and will not require configuration for most scenarios. NTLM will continue to act as a fallback mechanism to maintain compatibility.

Ransomware attacks have intensified, causing severe disruption in standard business operations and data breaches if a ransom is not paid. Among affected are Air Canada, state courts in Northwest Florida, and Simpson Manufacturing. The BianLian group is responsible for the attack on Air Canada, whereas ALPHV claimed the attack on the state courts of Northwest Florida. The attack on Simpson Manufacturing caused the company to shut down its IT systems entirely. However, it remains unconfirmed if it was a ransomware attack. The complete source code for the first version of HelloKitty ransomware has been leaked on a Russian-speaking hacking forum, with claims of developing a more potent version soon. The Spanish airline, Air Europa, experienced a data breach recently, compromising customers' credit card information. Customers have been advised to cancel their cards immediately. The Federal Bureau of Investigation (FBI) has shared AvosLocker ransomware technical details and defense tips, indicating that unpatched WS_FTP servers are the new targets for ransomware attacks. Reports indicate Q3 of 2023 was the most successful quarter ever recorded for ransomware attacks.

Genetic testing provider, 23andMe, has been hit with several class action lawsuits following a data breach that potentially impacted millions of its customers. The breach saw a threat actor leak customer data on cybercrime forums, containing sensitive information such as account IDs, full names, birth dates, DNA profiles, and location details. In response, 23andMe claimed the attackers used credential-stuffing attacks on weakly secured accounts and denied claims of a direct system breach. The company disclosed that the data breach widened due to customers activating an optional feature named 'DNA Relatives,' which connects genetic relatives. 23andMe is currently working with third-party experts and law enforcement authorities to investigate the data breach and plans to inform affected customers individually. The lawsuits criticize 23andMe for its lack of transparency regarding the breach, its inaccurate security measures and for failing to monitor its network for abnormal activities. Plaintiffs are seeking various financial relief, including lifetime credit monitoring and both actual and punitive damages.

Genetic testing service 23andMe faces multiple class-action lawsuits following a significant data breach, potentially impacting millions of customers. The company claims hackers accessed its platform via credential-stuffing attacks on poorly protected accounts. The breach involved the publication of a CSV file on hacker forums featuring data of nearly 1 million Ashkenazi Jews who used 23andMe's services. The disclosed details included users' account IDs, full names, sex, date of birth, DNA profiles, and location details. Despite the original hacker retracting the post and opting to sell the stolen data profiles, other threat actors continued to share the initial data leak across cybercrime communities. The company explained that the breach expanded due to customers activating an optional 'DNA Relatives' feature. 23andMe has promised to individually inform impacted customers and continue investigations with the assistance of law enforcement and third-party experts. The lawsuits, filed in California, criticise 23andMe's lack of adequate network monitoring and proactive security measures, maintaining that the company should have been more alert to cybersecurity threats. The plaintiffs are seeking various financial compensations including restitution, lifetime credit monitoring, and coverage of attorney's fees, among others. The nominal damages are defined at $1,000 and punitive damages at $3,000 per class-action lawsuit member.

Shadow, a French cloud service providing Windows PC gaming among other services, confirmed a data breach due to a social-engineering attack. The theft reportedly exposed customer data. An individual claiming responsibility for the attack is allegedly attempting to sell a database containing information of over 530,000 Shadow customers on a cybercrime forum. Exposed data includes full names, email addresses, birth dates, billing addresses, and credit card expiration dates. However, CEO Eric Sele emphasized that no passwords or sensitive banking data were compromised. Sele provided more details about the attack, stating it began on the Discord platform with the downloading of malware via a game on the Steam platform. From there, the attacker exploited a stolen cookie to access the management interface of one of Shadow's SaaS providers and extracted private customer information. The company has locked down its systems and reinforced security protocols with third-party providers in response to the breach. Sele apologized to customers and asserted Shadow's commitment to transparency.

The first ransomware campaign to exploit a vulnerability in WS_FTP Server, a Progress Software product, was detected this week, according to security firm Sophos X-Ops. The cybercriminals used the code from the LockBit 3.0 ransomware program, implying that they are relatively inexperienced, as the encryption of files failed. The perpetrators, identified as the "Reichsadler Cybercrime Group," demanded a significantly low ransomware payment (0.018 Bitcoin or less than $500), compared to more established cybercriminal operations. The cybercriminals' location is unclear, but the ransom note time was set to Moscow Standard Time. Sophos X-Ops managed to prevent the ransomware's payload download after its intrusion tactic triggered a security rule in the Sophos product. Patches for the WS_FTP vulnerabilities were released on September 27, and the first wave of attacks were spotted on September 30. Security firm Assetnote found about 2,900 hosts running the file transfer software as of October 4, suggesting a sizable potential target base.

Microsoft announced plans to phase out the NTLM (New Technology LAN Manager) authentication protocol in Windows 11 due to security vulnerabilities. NTLM, used to authenticate remote users and provide session security, is exploited by threat actors in attacks such as NTLM relay and pass-the-hash attacks. These attacks can grant the attacker full control over the Windows domain or access to sensitive data through handpicked NTLM hashes. Microsoft has recommended developers to stop using NTLM since 2010, advising Windows admins to either disable NTLM or block NTLM relay attacks using Active Directory Certificate Services (AD CS). The company is developing two new Kerberos features, IAKerb (Initial and Pass Through Authentication Using Kerberos) and Local KDC (Local Key Distribution Center), to expand its usage and address challenges leading to Kerberos fallback to NTLM. While working towards disabling NTLM in Windows 11, Microsoft plans to provide enhanced controls for monitoring and restricting NTLM usage, which administrators can use for compatibility reasons.

Cybercriminals are using a novel code distribution method called 'EtherHiding' that uses Binance's Smart Chain contracts to hide malicious scripts in the blockchain. The hackers initially employed compromised WordPress sites that redirected to Cloudflare Worker hosts for injecting malicious JavaScript into hacked sites, but switched to blockchain systems as these provide a more resilient and evasive distribution channel. The technique, discovered by Guardio Labs researchers, sees threats actors trick users into downloading fake browser updates via hijacked WordPress sites. The attack begins by the hackers targeting vulnerable WordPress sites or compromising admin credentials to inject scripts into web pages. These pull malicious code from the blockchain, which in turn triggers the download of a third-stage payload from the attacker's servers (C2). As the C2 address is derived directly from the blockchain, attackers can change it frequently to evade blocks. Once the victim clicks the update button, they are then led to download a malicious executable from Dropbox or other authentic hosting sites. The blockchain's decentralized nature and its ability to run apps and smart contracts means any code hosted on it cannot be taken down, making such attacks unblockable. If successful, blockchain abuse could become an integral part of payload delivery attack chains in the future. Efforts to mitigate such attacks will need to focus heavily on improving WordPress security.

Microsoft’s Visual Studio integrated development environment (IDE) has been found to have vulnerabilities allowing for a single-click remote code execution (RCE) exploit. The exploit was developed by Zhiniang Peng, principal security researcher and chief architect of security at Sangfor; it targets the default implementation of Visual Studio's "trusted locations" feature. Lowering the bar for a successful attack, this targetted feature is not enabled by default, thereby exposing unaware users to security risk. The issue remains unaddressed by Microsoft, which does not consider this to be a security vulnerability. Microsoft asserts that downloading and opening a project from platforms such as GitHub is inherently insecure. The particular attack, developed by Peng, is deceptive as it involves use of a .suo binary file which is not displayed by default in a project’s file explorer and is hard to read. Despite the clear demonstration of the exploit, Microsoft persisted in its stance that the issue does not constitute a "true" vulnerability and hence won't be patched. Peng further highlighted that another security feature, Mark of the Web (MOTW), isn't adhered to in Visual Studio, and solution (.sln) files can be opened without any warnings, making it easy to bypass protections.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released further information about security vulnerabilities and misconfigurations that ransomware attackers exploit, which will assist critical infrastructure organizations in countering such assaults. CISA's Ransomware Vulnerability Warning Pilot program, launched in January 2021, has identified and shared details on more than 800 susceptible systems with internet-accessible vulnerabilities often exploited by different ransomware operations. Recognising the potential lack of awareness of ransomware threat actors exploiting vulnerabilities within their networks, CISA made this information available to all organizations through the Known Exploited Vulnerabilities (KEV) Catalogue. As a companion resource, CISA has created the Misconfigurations and Weaknesses list, detailing oversights known to be used in ransomware attacks. CISA's efforts are in response to increasing ransomware threats that have targeted critical infrastructure and US government agencies. Measures taken to combat these threats include the launch of the Ransomware Readiness Assessment, introduced in June 2021, and guidance intended to help prevent data breaches resulting from ransomware incidents. CISA has also formed an alliance with the private sector, known as the Joint Cyber Defense Collaborative, aiming to protect US infrastructure from ransomware and other cyber threats. Additionally, the agency has launched StopRansomware.gov, a dedicated site for offering information on mitigating ransomware attacks.

The EU Cyber Resilience Act (CRA) has raised concerns among open source developers due to perceived stringent regulations that may hinder software development. The CRA, approved on July 13, 2023, imposes stringent cybersecurity criteria on all applications and gadgets sold in the EU. It requires software creators, including individual developers, to rectify security flaws and regularly update and validate their products. Even non-EU resident developers distributing software via the internet could be liable for CRA penalties, with the potential for significant fines. Non-profit foundations and private companies developing open source software would also need to comply with CRA regulations. The CRA may see amendments to potentially exclude some open source projects with a "fully decentralized development model". It is feared that the complexity of CRA compliance may be too much for individual developers and small or medium-sized businesses to handle. The Linux Foundation Europe has encouraged concerned developers to act swiftly against this legislation, providing suggestions on available courses of action.

A new version of the RomCom RAT malware, known as PEAPOD, is being used in a cyberattack campaign targeting European Union military personnel and political leaders involved in gender equality initiatives. The malware is typically distributed through highly targeted spear-phishing emails and decoy online advertisements, tricking victims into visiting counterfeit sites hosting trojanized applications. The campaign is reportedly run by a group tracked under the name Void Rabisu, which conducts both financially-motivated and espionage attacks. The group has tended to focus on Ukraine and nations supporting Ukraine in its conflict with Russia. Microsoft had previously implicated Void Rabisu in the exploitation of a remote code execution flaw in Office and Windows HTML. The updated version of the RomCom RAT malware, PEAPOD, interacts with a command-and-control server to execute operations on the targeted system, and includes new defense evasion techniques for more sophisticated attacks. The latest attacks in August 2023 have delivered an updated, slimmed-down version of the malware via a decoy website, which hosts an executable file that appears to contain photos from a Women Political Leaders Summit. The file instead drops 56 decoy photos onto the targeted system and retrieves a DLL file from a remote server, effectively reducing the malware's digital footprint and complicating detection efforts. Trend Micro has speculated that Void Rabisu might be one of the financially motivated criminal groups that have entered cyberespionage activities due to the geopolitical situation caused by the war in Ukraine.