Daily Brief

A new security flaw in the libcue library affecting GNOME Linux systems could enable cyber criminals to stage remote code execution (RCE) attacks. The vulnerability, labelled as CVE-2023-43641 and assigned a CVSS score of 8.8, causes memory corruption in libcue, a library for parsing cue sheet files, and affects libcue versions 2.2.1 and prior. Libcue is integrated into Tracker Miners, a search engine tool included by default in GNOME, which is a commonplace target for hackers. The flaw is tied to an out-of-bounds array access in the track_set_index function, and allows threat actors to execute code on the victim's machine by tricking the user into downloading a malicious .cue file. Additional technical information is being held back to allow users time to implement the latest updates. This alert is issued two weeks after details of the high-risk CVE-2023-3420 vulnerability in the Google Chrome V8 JavaScript engine enabled RCE in the web browser.

A fresh Magecart campaign is exploiting the default 404 error pages to conceal malicious code and steal credit card details from users. The campaign targets Magento and WooCommerce sites, with some victims being major companies in the retail and food industries. The malicious code is injected into the websites' first-party resources, either directly on the HTML pages or one of the first-party scripts, making detection harder for security services and external scanners. The campaign executes the attack in parts to further obfuscate its activity, thereby making detection more challenging. It activates the full attack only on specifically targeted pages. Two other techniques used to obfuscate the skimmer code include a malformed HTML image tag's onerror attribute and masquerading as the Meta Pixel code snippet. These techniques can evade static analysis and external scanning. A unique concealment technique used in this campaign is exploiting default error pages by modifying them to hide the skimmer code. The skimmer then overlays a fake payment form to collect user data. This new method of exploiting the default 404 error pages offers Magecart actors further possibilities for better evasion and hiding, and can circumvent Content Security Policy headers and other security measures actively examining network requests on the page.

Researchers have linked an unknown threat actor, termed 'Grayling APT', to several attacks on entities across the IT, biomedical and manufacturing sectors in Taiwan. The attack campaign began in February 2023 and remained active until at least May 2023. Other presumed targets include a Pacific Islands government agency and entities in the US and Vietnam. Grayling APT is notable for its unique DLL side-loading technique, using a custom decryptor to deploy payloads. Its main motive appears to be intelligence gathering. Attack methods include exploiting public-facing infrastructure and using web shells for prolonged access. Grayling APT uses DLL side-loading to introduce various payloads, including Cobalt Strike, NetSpy, and the Havoc framework. No current evidence suggests engagement in data exfiltration, implying a focus on reconnaissance and intelligence gathering. The use of public tools aims to hinder attribution efforts. Their focused targeting of Taiwanese organisations suggests they likely operate from a region holding strategic interest in Taiwan.

A report from tech non-profit, Thorn, highlights an escalating trend in minors taking and sharing explicit images of themselves, leading to increased risks of sexual abuse. The research aligns with the findings of other child safety organizations, with the National Center for Missing and Exploited Children reporting a 329% increase in child sexual abuse material files in the last five years. The issues identified are a potential threat to all platforms that host user-generated content, necessitating advancements in technology capable of combating the growing trend. Hashing and matching technology, which identifies digital fingerprints of known child sexual abuse content, has been highlighted as an efficient method of detection that can limit the spread of this material. Thorn's CSAM detection tool, Safer, offers access to a large database of 29+ million known CSAM hash values, and enables tech companies to share hash lists, further extending the corpus of known CSAM and aiding its disruption. To efface CSAM from the internet, the participation and collaboration of tech companies and NGOs are vital, and Safer has already enabled the identification of over two million pieces of CSAM on client platforms to date.

Google has made passkeys the default sign-in option across all personal Google accounts. Passkeys are linked to specific devices and can simplify sign-ins. They offer a secure and convenient alternative to traditional passwords and may use hardware security keys, PINs, fingerprint scanners, or screen lock patterns for verification. The introduction of passkeys greatly decreases the chance of data breaches and phishing attacks. It also eliminates the requirement for users to remember and manage passwords, thus improving security and accessibility. Passkeys are securely stored in the cloud, allowing for seamless transitions in case of device loss or new device acquisition. This function is compatible with all major web browsers and platforms, including Windows, macOS, iOS, and ChromeOS. Google's transition to passkeys as the default sign-in method is a part of an ongoing trend endorsed by tech giants Microsoft, Apple, and Google to adopt password-less sign-ins, using what are known as FIDO or WebAuthn credentials. Despite this, traditional methods like passwords and 2-Step Verification will still function for Google Accounts.

The Exercise Cyber Star program, conducted by a partnership between the Cyber Security Agency of Singapore (CSA) and the SANS Institute, was commenced on September 25. This week-long annual event aims at enhancing Singapore's response capabilities to cyber attacks in a whole-of-nation context. The latest, fifth edition event attracted over 450 attendees from 11 critical information infrastructure sectors, including aviation, banking and finance, energy, government, healthcare, info-communications, land transport, maritime, media, security and emergency, and water. The program covered a wide range of threats, including ransomware, Distributed Denial of Service (DDoS), Industrial Control Systems (ICS) compromise, and insider threats, followed by technical workshops and hands-on practice sessions. The attendees participated in GRID NetWars, an interactive simulation of a real-world cyber attack, that could target any of the ICS systems in Singapore. The goal was to familiarize participants with the dynamics of various threat scenarios and optimal response actions. SANS APAC Technical Director, Delaney Ng, also hosted a group of 20 young people in co-ordination with Cyber Youth Singapore (CYS), providing advice and insights about cyber security careers, and effective methods for counteracting cyber threats. The program underscored the importance of extensive and continuous training, awareness campaigns, simulated exercises and developing the next generation of cyber security professionals in maintaining the resilience of critical infrastructures in the country against cyber attacks.

D-Link's DAP-X1860 WiFi 6 range extender has been found vulnerable to denial of service (DoS) attacks and remote command injection. The device has issues with parsing SSIDs containing a single tick, allowing attackers to trick the device into executing unintended commands. Attackers within range can set up a bogus WiFi network with a deceptive name including a single tick and a command, causing the device to malfunction or run the inserted command. All processes on the range extender, including those inserted by potential attackers, run with root privileges, posing a potential threat to other connected devices. Despite German research group RedTeam discovering and reporting the flaw to D-Link in May 2023, no response or fix has been provided by the vendor. Users of DAP-X1860 extenders are advised to limit manual network scans, monitor sudden disconnections, and separate IoT devices and range extenders from sensitive devices by placing them on different networks.

The ALPHV ransomware group, also known as BlackCat, has claimed responsibility for a cyberattack on state courts across Northwest Florida, part of the First Judicial Circuit. The gang alleges it has acquired sensitive personal data of employees, including judges. The group claims to possess a comprehensive map of the court's network systems, including local and remote service credentials, and has threatened to leak stolen information to force a negotiation. Following the cyberattack on October 2nd, the Florida circuit court announced an investigation, warning of likely disruptions to court operations across Escambia, Okaloosa, Santa Rosa, and Walton counties. Court authorities stated all facilities continue to operate without disruptions. The ALPHV gang, believed to be a rebrand of DarkSide/BlackMatter, first emerged in November 2021. The operation is known for rapid adaptation and refinement of their tactics. The FBI has issued warnings about the group, citing their success in over 60 breaches worldwide between November 2021 and March 2022.

The tracker miners file metadata indexer, which is an integral part of GNOME versions on Linux systems, is vulnerable to memory corruption via malicious .CUE files. GNOME desktop environment, a widely used software across several Linux distributions, including Debian, Ubuntu, Fedora, Red Hat Enterprise, and SUSE Linux Enterprise, is at risk of malicious code execution. The vulnerable flaw, designated as CVE-2023-43641, can be successfully exploited by an attacker if a user unknowingly downloads a maliciously crafted .CUE file, automatically indexed by Tracker Miners on GNOME. Kevin Backhouse, a GitHub security researcher who discovered the bug, urges users to update their GNOME desktop to fend off any potential attack. Although the proof-of-concept exploits need modifications for each Linux distribution, it has been successfully executed "very reliably" on Ubuntu 23.04 and Fedora 38, making it a potential risk for all GNOME-enabled distributions. System administrators are cautioned to patch their systems and mitigate the risks of this security flaw that could potentially result in code execution on devices running latest releases of widely used Linux distros. Kevin Backhouse has previously discovered several severe Linux security flaws, including a privilege escalation bug and an authentication bypass bug.

Multiple campaigns by Balada Injector compromised more than 17,000 WordPress websites using known vulnerabilities in premium theme plugins last month. The attack campaign exploited the CVE-2023-3169 flaw in the premium themes, Newspaper and Newsmag, affecting potentially 155,500 websites. The malicious operations redirect visitors of the compromised websites to fake tech support pages, fraudulent lottery wins, and push notification scams. The Balada Injector tactic has been active since 2017 and has compromised nearly one million WordPress sites to date. A scan of compromised sites shows that more than half of the successful attacks used the CVE-2023-3169 exploit. Sucuri recommends upgrading the tagDiv Composer plugin to version 4.2 or later to protect against Balada Injector, as well as keeping all themes and plugins updated, removing dormant user accounts, and scanning files for hidden backdoors.

A new Magecart card skimming campaign is hijacking online retailers' 404 error pages to hide malicious code designed to steal customer credit card information. This campaign targets Magento and WooCommerce-hosted sites, with some victims linked to prominent organizations in the food and retail sectors. The '404 Not Found' error page is exploited to conceal and load the code, presenting an innovative concealment technique that hasn't been seen in previous Magecart campaigns. The skimmer loader is either disguised as a Meta Pixel code snippet or hidden within random inline scripts and starts fetching requests to a nonexistent path named 'icons', resulting in a '404 Not Found' error, thus bypassing detection from most security tools. The skimmer code presents a fake form, where visitors are expected to input sensitive information like credit card details, which is then sent to the attackers, giving an impression of a benign image fetch event, thereby evading network traffic monitoring tools. This use of 404 pages underlines the constantly evolving techniques of Magecart actors, making it increasingly difficult for webmasters to locate and remove their malicious code from compromised websites.

A new Magecart card skimming campaign is hijacking online retailers' 404 error pages to hide malicious code and steal customers' credit card information. This innovative technique, observed by Akamai Security Intelligence Group, primarily targets Magento and WooCommerce sites, including organizations linked to renowned food and retail sectors. Besides 404 error pages, the hackers also use HTML image tag's 'onerror' attribute and image binary techniques to conceal malicious code. The skimmer loader disguises as a Meta Pixel code snippet or hides within scripts on the compromised checkout web page and fetches non-existent paths. The 404 error returned from these paths contains the malicious code. The skimming code displays a spoofed form to visitors, asking for sensitive information like credit card details. Upon submitting, the information is encoded and sent to the attacker under the guise of an image request URL. Akamai's findings highlight the growing sophistication of Magecart actors, making it increasingly difficult to detect and remove their malicious code from infected websites.

A China-based operation has used a botnet named PEACHPIT to commit ad fraud, leveraging compromised Android and iOS devices. The operation forms part of a larger criminal enterprise named BADBOX. Operatives behind BADBOX sold off-brand mobile and connected TV (CTV) devices laced with the Triada Android malware strain on popular online retail sites, creating a backdoor into the victims' devices. The botnet's apps were found in 227 countries, exploiting 39 apps installed more than 15 million times on Android and iOS devices to carry out ad fraud, data theft, and other illicit activities. PEACHPIT botnet operators also exploited backdoored devices to create phony WhatsApp and Gmail accounts, thereby bypassing bot detection mechanisms. Evidence suggests that the Android devices became compromised through a hardware supply chain attack. BADBOX malware was found across 200 distinct Android device types, indicating the scale of the operation. Risk management firm HUMAN worked with Apple and Google to limit the botnet's operations. However, the threat actors behind the operation are likely adjusting their strategies to circumvent defensive measures.

Ex-US Army Sergeant Joseph Daniel Schmidt was arrested in San Francisco on charges of attempting to deliver and retaining national defense information. His last duty post was at Joint Base Lewis-McChord, and his work fell under the Indo-Pacific Command, covering the Pacific and Indian Ocean region, including China. The Department of Justice (DoJ) claims Schmidt created a Word document titled "Important Information to Share with Chinese Government" and offered to share Top Secret information via a Gmail address linked to his name. Schmidt is alleged to have emailed a Chinese state-owned enterprise, offering a Secret Internet Protocol Routing PKI token, an encryption key for accessing classified US intelligence networks. The DoJ noted Schmidt retired in January 2020 and traveled between China, the US, and Istanbul. He had reportedly been trying to secure employment and a permit to permanently relocate to China. The FBI claims that Schmidt had been told by Hong Kong immigration authorities that he had overstayed in the country in July 2020. Acting US attorney Tessa M Gorman for the Western District of Washington described the alleged actions of Schmidt as shocking.

Hackers are exploiting the CVE-2023-3519 flaw in Citrix NetScaler Gateways on a large scale to steal user login details; the flaw is a critical zero-day bug discovered in July. Despite warnings to update Citrix devices, the attack surface remains significant; as of mid-August, the flaw had been used to backdoor a minimum of 2,000 Citrix servers. IBM's X-Force discovered a campaign to steal NetScaler credentials while investigating a client case; the hackers exploited CVE-2023-3519 to inject a malicious JavaScript script that harvested login information. The campaign began on August 11, 2023, with 600 unique IP addresses of NetScaler devices identified, mostly in the U.S. and Europe. The attackers used a series of web requests and scripts to exploit vulnerable NetScaler devices, eventually exfiltrating collected credentials via HTTP POST requests. A new detection artifact discovered in the attack could aid early detection; system administrators are advised to follow remediation and detection guidance provided by the Cybersecurity and Infrastructure Security Agency (CISA).