Daily Brief

Shadow PC, a cloud gaming service, has alerted customers to a recent data breach that exposed the personal information of its users. The breach came as a result of a successful social engineering attack that targeted one of Shadow PC's employees. A malicious actor sent malware disguised as a game on the Steam platform to an acquaintance of an employee, which was then downloaded. The malware stole an authentication cookie, allowing the attackers to log into the management interface of one of the company's software-as-a-service providers. Data stolen included full names, DoBs, email addresses, billing addresses, and credit card expiration dates. The company confirmed no passwords or sensitive payment information was accessed. Since the breach, Shadow PC has implemented security measures to prevent similar incidents from happening in the future and has revoked the stolen authentication cookie, effectively blocking the hacker's access. A cybercriminal purportedly behind the breach has claimed on a forum to be selling the stolen data of over 500,000 customers. However, this claim hasn’t been independently verified.

Threat actors are leveraging IP addresses that have been transformed into hexadecimal notation to infiltrate poorly managed Linux SSH servers in order to deploy the DDoS malware, ShellBot. The malware, also known as PerlBot, is used to breach servers with weak SSH credentials by means of dictionary attacks, enabling the staging of DDoS attacks and the delivery of cryptocurrency miners. Recent attacks involving ShellBot have been seen to install the malware using hexadecimal IP addresses in an attempt to evade URL-based detection signatures. ShellBot uses the IRC protocol to communicate with a command-and-control server and continues to be used in steady attacks against Linux systems. It's recommended for users to switch to and regularly update strong passwords to prevent brute-force and dictionary attacks. ASEC also revealed that attackers are weaponizing abnormal certificates with unusually long strings for Subject Name and Issuer Name fields to distribute malware such as Lumma Stealer and a variant of RedLine Stealer. These types of malware are primarily distributed via malicious pages that are easily accessible through search engines, posing a threat to a wide range of users.

Simpson Manufacturing, a US-based construction supplies provider, has reported a cyberattack on its IT infrastructure systems on October 10, 2023, which caused disruptions and taken some systems offline. The company, which yields a market capitalization of $6.1 billion and has global operations, is still dealing with ongoing disruptions and it is suspected that a possible ransomware infection might be involved. The investigation to understand the nature and scope of the incident is ongoing, with third-party cybersecurity specialists roped in to aid the probe and recovery efforts. Although the construction industry was long considered immune to cyberattacks, the perception has shifted, with the sector being one of the most impacted by data security incidents, according to a 2021 report by the Association of General Construction of America. The report also highlighted that cyber criminals see the construction industry as a lucrative target due to it lacking robust data security and privacy measures and carrying a substantial amount of digitally stored confidential information. Advanced technologies becoming more commonplace in the construction industry increase the sector's vulnerability if appropriate data security and privacy risk assessments and controls are not in place.

Microsoft Defender for Endpoint's user containment feature successfully detected and stopped a large-scale Akira ransomware attack on an undisclosed industrial organization in June 2023. The ransomware operators, known as Storm-1567, used devices not onboarded to Microsoft Defender as a means of defense evasion. They also conducted reconnaissance and lateral movement activities before initiating the encryption using a compromised user account. The recent attack disruption capability of Defender for Endpoint has the ability to prevent any compromised accounts from accessing other resources within a network, limiting the perpetrators’ ability to move laterally. The purpose of this feature is to disrupt all inbound and outbound communication, and prevent human-operated attacks from infiltrating additional devices within the network. Microsoft stated that the feature also disrupted an attack attempt on a medical research lab in August 2023, where the attacker tried to reset the password for a default domain administrator account. Microsoft emphasized the criticality of preventing compromise of high privileged user accounts that could provide attackers with potential access to the network's Active Directory, subverting conventional security measures.

Generative AI innovations, such as ChatGPT, present a new risk for data exposure if employees inadvertently insert sensitive information into these applications. Traditional Data Loss Prevention (DLP) solutions, designed to protect file-based data, are ill-equipped to manage these risks. A new report by LayerX suggests browser security platforms as a solution. The platforms enable real-time monitoring and governance of web sessions, thereby protecting sensitive data. Unlike DLP solutions, browser security platforms offer real-time visibility and enforcement capabilities on live web sessions, ensuring complete oversight on user input into platforms like ChatGPT. The report suggests a three-tiered approach to security, allowing organizations to block, alert, or allow certain actions, facilitating a customized data protection strategy. As per the report, browser security platforms are the only solutions presently adept at mitigating data exposure risks in AI-driven text generators.

Cybersecurity investigators have discovered a complex new form of malware that disguises itself as a WordPress plugin. The malware is capable of clandestinely creating administrator accounts and taking control of compromised sites. Named by Wordfence, the plugin is sophisticated and professionally designed, including features that prevent it from being listed among activated plugins. The malware provides attackers the ability to remotely activate and deactivate plugins on a compromised site, as well as create rogue admin accounts with preset, hard-coded credentials. Functions of the malware also include the ability to remotely activate malicious actions, modify posts and page content, inject spam links or buttons, and manipulate search engine crawlers. The researchers noted that the scale of the attacks and the initial intrusion vector used to compromise the sites are currently unknown. Sucuri stated that over 17,000 WordPress websites were compromised in September 2023, with Balada Injector malware being used to add malicious plugins and create unauthorised blog administrators.

HM government has collaborated with SANS to offer the Upskill in Cyber programme to train cybersecurity professionals. The programme, launched earlier this year, offers intensive, accelerated trainings designed to help graduates acquire necessary skills to launch their cybersecurity careers. The current year saw a record number of applications, 4,600 in total, for the programme, with only the top 7% chosen based on aptitude-based assessments. Graduates complete crucial cybersecurity certifications, such as the GIAC Foundational Cyber Security Technologies and GIAC Security Essentials Certifications. The Upskill in Cyber programme takes responsibility for connecting graduates with local companies, contributing to the growth and success of the UK's cybersecurity industry. Companies such as e2e-assure that have hired talent from the Upskill in Cyber programme have reported positive benefits, including increased recognition and trust within the industry. Further information about the programme and hiring graduates can be found through email contact and on the programme's official website.

An ongoing cyber campaign has been targeting high-profile Asian government and telecom entities since 2021. The countries affected include Vietnam, Uzbekistan, Pakistan, and Kazakhstan. Cybersecurity company Check Point, which has labelled the campaign as 'Stayin' Alive', reports the attackers deploy basic backdoors and loaders to deliver further malware. The campaign's attack chain begins with a spear-phishing email carrying a ZIP file attachment that leverages DLL side-loading to install a backdoor called CurKeep. The campaign's infrastructure shares overlaps with ToddyCat, a China-linked threat actor known for attacking government and military agencies in Europe and Asia since December 2020. Nonetheless, there is no conclusive evidence linking the two. The attackers employ a continually changing collection of loader variants able to execute remote commands and launch new processes, along with a passive implant that accepts remote connections. The increasingly common use of disposable loaders and downloaders, as observed in the campaign, makes detection and attribution more challenging due to their regular replacement and potential creation from scratch.

Developers have found two major security flaws in the Curl data transfer library and have released patches to address them. The more serious flaw, designated CVE-2023-38545, could potentially result in code execution. It affects libcurl versions 7.65.0 to 8.3.0. It is caused by a bug in a local variable during a slow SOCKS5 proxy handshake. Both the flaws could theoretically be exploited without the need for a denial-of-service attack via an overflow triggering by a malicious HTTPS server redirecting to a specific URL. Notably, experts have speculated that the vulnerability will be exploited for remote code execution in live environments. However, it is noted that the specific pre-conditions required for a machine to be vulnerable are more restrictive than initially believed. The second flaw allows an attacker to insert cookies into a running program using libcurl in certain instances. Affected versions for this vulnerability are from 7.9.1 to 8.3.0. Patches for both the vulnerabilities are included in the version 8.4.0 which was released on October 11, 2023. Even with the patches, the developer has commented that these flaws would not have been possible if Curl had been written in a memory-safe language instead of C, but there are no plans to port Curl to a different language.

A new malware has been discovered that creates a rogue admin on WordPress sites, allowing the threat actors to control the site's activity. The malware poses as a legitimate caching plugin to target WordPress sites, with a variety of functions that let it manage plugins, replace content, or redirect certain users to malicious locations. The malicious plugin hides itself from active plugins list on the compromised websites and excludes itself during manual inspections. Cybersecurity firm Defiant, the makers of the Wordfence security plugin for WordPress, discovered this malware in July. The firm has released a detection signature for its users of the free version of Wordfence and added a firewall rule to protect premium users. Defiant has not yet determined the initial access vector that was used to compromise WordPress sites, however, common methods include stolen credentials, brute-forcing passwords, or exploiting a vulnerability in existing plugins or themes.

The threat actor group, BianLian, has claimed responsibility for a recent data breach targeting Air Canada, which involved the exfiltration of about 210GB of data with sensitive information ranging from years 2008-2023. The cybercrime group states the stolen data includes Air Canada's technical and security challenges, SQL backups, employee personal data, information about vendors and suppliers, confidential documents, and company database archives. Air Canada confirmed it was aware of the threats posed by BianLian but did not confirm the group's involvement in the breach. Details about the number of affected employees, the date of the breach, or when the incident was detected have not been disclosed. The airline, as a security measure, has urged its customers to enable SMS-based multi-factor authentication on their Aeroplan accounts and adopt strong passwords to shield against credential stuffing and password spraying attacks. This incident follows a 2018 security breach affecting Air Canada's mobile app users, leading to unauthorized access to a significant amount of personal data, though no credit card or aircanada.com account information was revealed. Air Europa, Spain's third-largest airline, also revealed this week that hackers accessed their customers' credit card information in a recent data breach, prompting them to advise customers to cancel their cards.

A US Navy service member, Wenheng Zhao (also known as Thomas Zhao), pleaded guilty to passing on American military secrets to a Chinese intelligence officer and is set to be sentenced in January. Zhao held a US security clearance that gave him access to 'secret' data at Naval Base Ventura County in California, which focuses on developing and testing missiles, electronic warfare systems and other weapons. Zhao admitted to receiving bribes from a Chinese spymaster in return for confidential information about US Navy operational security, military training and exercises, and critical infrastructure. In addition to providing plans of a large maritime training exercise in the Pacific theater, Zhao also sold operational orders, electrical plans, and blueprints for a radar system in Okinawa, Japan, and has admitted to using encrypted communication methods to transmit this information. Accompanying Zhao's arrest was another Navy service member, Jinchao Wei, also charged with spying-related crimes in a separate naval base in San Diego, California. Latest reports indicate that a former US Army sergeant was arrested last week and is facing federal felonies for conspiring to pass classified information to the Chinese government.

Microsoft Defender for Endpoint now includes an automatic attack disruption feature that isolates compromised user accounts, preventing lateral movement in hands-on-keyboard attacks. This tactical move targets incidents like human-operated ransomware, where adversaries infiltrate networks, escalate privileges through stolen accounts, and deploy malicious payloads. The 'contain user' capacity achieves this by suspending compromised users across all devices, thwarting an attacker's opportunity to execute hostile activity, such as moving laterally, performing data theft, and encrypting remotely. Once the preliminary phases of a human-operated assault are recognized on an endpoint using signals from Microsoft 365 Defender, the automatic attack disruption feature stops the attack on that machine. Concurrently, Defender for Endpoint will immunize all other devices in the organization by blocking incoming malicious traffic, leaving potential adversaries with no additional targets. Since this feature's introduction, 6,500 devices have been spared from ransomware campaigns conducted by various hacker groups. Microsoft Defender for Endpoint has also been capable of isolating hacked and unmanaged Windows devices since June 2022, further restricting potentially malicious activity.

The wage gap for US-based Chief Information Security Officers (CISOs) has increased, with the high earners seeing their salaries grow at three times that of the lower earners, according to a recently released survey by IANS. The survey polled 600 CISOs, finding that the majority make either under $400k annually or over $700k, and very few fall into the intermediate wage bracket. Just over half earn less than $400k a year, with 30% of this group earning less than $300k. Of all respondents, a fifth earn more than $700k, and half of these higher earners earn more than $1 million per year. The total increase in compensation for CISOs this year was 11%, notably slower than last year’s growth rate of 14%. The report also revealed that 75% of surveyed CISOs are considering changing jobs, giving reasons such as pay and work-life balance issues. Nick Kakolowski, senior research director at IANS, noted that while high earners have continued to see substantial increases in compensation, middle and lower earners have not, which is leading to job dissatisfaction.

Microsoft has identified China-backed cyber group, Storm-0062, as the entity exploiting a critical zero-day in Atlassian Confluence Data Center and Server since mid-September. Although Atlassian had disclosed a vulnerability (CVE-2023-22515) and made security updates available from early October, the company did not release details regarding the threat groups exploiting it. Storm-0062, which has links to China's Ministry of State Security, leveraged the flaw for nearly three weeks, creating arbitrary administrator accounts on vulnerable endpoints. The group known, also known as DarkShadow or Oro0lxy, is notorious for targeting software, engineering, medical research, government, defense, and tech firms across the world to collect intelligence. Rapid7 researchers recently released a proof-of-concept exploit along with full technical details about the vulnerability, which may shift the landscape of exploitation. However, Rapid7 has also provided detailed instructions to counter the threat. The flaw does not affect Confluence Data Center and Server versions before 8.0.0 and Atlassian-hosted instances at atlassian.net domains are not vulnerable to these attacks. Users of affected versions are strongly encouraged to upgrade to the fixed releases.