Daily Brief

A new phishing campaign is targeting senior executives in US organizations, predominantly those in banking and financial services, insurance, property management, real estate, and manufacturing sectors. The campaign employs the EvilProxy toolkit, a reverse proxy set up between the target and a legitimate login page to harvest login credentials, two-factor authentication (2FA) codes, and session cookies. The activity, which reportedly began in July 2023, utilizes an open redirection vulnerability on job search platform 'indeed.com' to redirect victims to malicious phishing pages impersonating Microsoft. The criminals pay monthly license fees ranging from $200 to $1000 USD to run the phishing toolkit, and many threat actors are using these services. Post clicking a deceptive redirect link in a phishing email on Indeed which redirects to the EvilProxy page, the user is ultimately redirected to a malicious phishing page, which bypasses established security controls. The situation highlights an increased adoption by cybercriminals of sophisticated social engineering techniques and technology for business email compromise (BEC) attacks. Notably, the Northern Ireland Police Service has noted a similar rise in phishing emails involving QR codes embedded in PDF documents or PNG image files.

The power and data transmission cable producer, Volex, has confirmed a breach of its digital infrastructure, but says that it was quickly contained and all sites remain operational, with minimal disruption. The company promptly enacted cybersecurity protocols and enlisted third-party consultants to examine the extent of the incident and to execute the incident response plan. The financial fallouts from the incident are not expected to be significant, yet the company's shares dropped by over 3% following the announcement. Revenue noted for Volex—whose products range from power cords to datacenter power cables—is more than £720 million ($879 million), with production sites located in Eastern Europe and across Asia. Volex is yet to comment on the details of the breach, including the nature of the attack, how it was identified, the length of system exposure, whether a ransom was demanded or if malware was deployed. Following the incident, the importance of comprehensive security measures, including software patching procedures and network segmentation, was highlighted to mitigate the potential of these incidents causing significant disruption and damage to company reputation.

Microsoft's fourth annual Digital Defense Report has revealed a series of cyber attacks aimed at Israeli interests, specifically in the private-sector energy, defense, and telecommunications organizations. The campaign is being tracked by Microsoft under the title Storm-1133. The cyber threat actor is thought to be operating out of Gaza and is believed to be working in the interests of Hamas. The targeted organizations are perceived as hostile to Hamas. The attack chain involves a combination of social engineering and fake LinkedIn profiles, posing as human resources managers, project coordinators, and software developers affiliated with Israeli organizations. They use these profiles to send phishing messages, conduct reconnaissance, and deliver malware to employees. Microsoft has also observed efforts by Storm-1133 to infiltrate third-party organizations with public connections to potential targets in Israel. These intrusions are designed to deploy backdoors and provide the group with constant updates to its command-and-control infrastructure, which is hosted on Google Drive. These cyber activities coincide with an escalation in the Israeli-Palestinian conflict and an increase in malicious hacktivist operations aiming to disrupt government websites and IT systems in Israel, the U.S., and India. Asian hacktivist groups are increasingly active, with around 70 incidents reported so far. Microsoft has noted a shift from destructive operations to long-term espionage campaigns amongst nation-state threats. The most targeted countries include the U.S., Ukraine, Israel, and South Korea. Iranian and North Korean state actors are showing increasing sophistication in their cyber operations, narrowing the capability gap with nation-state cyber actors from Russia and China.

The Curl library maintainers have warned of two security vulnerabilities, one of high severity and one of low severity. The vulnerabilities are tracked under the identifiers CVE-2023-38545 and CVE-2023-38546. The precise details about the issue and impacted version ranges have not been disclosed, to avoid enabling malicious users to identify the problem areas. The issues affect the "last several years" of the versions, with CVE-2023-38545 impacting both libcurl and curl, and CVE-2023-38546 affecting only libcurl. The risk of the vulnerabilities being discovered before patch release is described as minuscule. Curl, powered by libcurl, is a popular command-line tool supporting numerous protocols, and these vulnerabilities are hence potentially high impact. Organisations using curl and libcurl are advised to inventory and scan all systems, preparing to identify vulnerable versions once details are disclosed with the release of Curl 8.4.0 on October 11.

Multiple high-severity security flaws have been discovered in ConnectedIO's ER2000 edge routers and the cloud-based management platform. These vulnerabilities could enable malicious actors to execute malicious code, access sensitive data, and potentially fully compromise the cloud infrastructure. The flaws could expose thousands of internal networks to severe threats, allowing bad actors to seize control, intercept traffic, and infiltrate XIoT things. These flaws could be exploited to impersonate any device using leaked IMEI numbers and force them to execute arbitrary commands. Several issues have also been found in the communication protocol used between the devices and the cloud, including the use of hard-coded authentication credentials. The discovery of these flaws follows the disclosure of several vulnerabilities in network-attached storage devices from Synology and Western Digital. These vulnerabilities could disrupt company operations, provide access to internal networks, and potentially lead to denial-of-service attacks.

Generative AI, such as OpenAI's ChatGPT, are increasingly being exploited by hackers, who can trick these AI models into generating malicious code. Cybersecurity researchers highlight the ability of hackers to craft specific prompts that exploit the AI model's "learning" or "generative" capabilities for malicious purposes. Cases have been highlighted where AI models can be manipulated into generating code for a keylogger malware or creating polymorphic malware that can evade detection. A new issue named 'Universal LLM Jailbreak' is gaining attention, which is a method to bypass restrictions of ChatGPT, Google Bard, Microsoft Bing, and Anthropic Claude, manipulating AI systems to carry out unauthorized activities like meth production and hot-wiring cars. The method of 'prompt injections' is also becoming concerning, where users manipulate the AI to behave in an unforeseen manner that can have potentially harmful results, such as revealing sensitive information like the Bing Chat's internal codename. The emergence of these practices calls for stricter regulation and built-in security measures around Generative AI to avoid them being misused. Measures suggested include implementing security guardrails and limiting the AI's access to data, therefore, reducing the potential risk of exploitation.

The full source code for the initial version of the HelloKitty ransomware was leaked on a Russian hacking forum by a threat actor named 'kapuchin0', who is believed to be the actual developer. The developer, also known as 'Gookee', has a history of malware-related activity, including selling access to Sony Network Japan in 2020 and participating in Ransomware-as-a-Service operations. The source code release includes a Microsoft Visual Studio solution that builds the encryptor and decryptor for HelloKitty ransomware, as well as the NTRUEncrypt library used by the ransomware to encrypt files. The public availability of the source code could have its downsides, as other attackers may repurpose it for their own operations, as seen with other ransomware source code leaks like HiddenTear and Babuk. HelloKitty ransomware, in operation since November 2020, is known for high-profile attacks, including one against CD Projekt Red, where the developers claimed to have stolen and sold the source codes for multiple games. The group has previously used a Linux variant to target the VMware ESXi virtual machine platform and has operated under other names such as DeathRansom, Fivehands, and possibly Abyss Locker.

Malware defense firm Human Security has identified Android devices, sold under $50 online, preloaded with a malware, Triada, as part of a campaign termed 'BADBOX'. Over 200 models were found with pre-installed malware. The malware infection led to an ad fraud campaign dubbed 'PEACHPIT'. Roughly 121,000 Android devices and 159,000 Apple devices were reported to be affected at the peak of the campaign, generating over four billion invisible ads daily. An unidentified Chinese manufacturer is reported to embed a firmware backdoor into the Android-based devices before their delivery to resellers and e-commerce warehouses; consumers unknowingly purchase these malware-infected devices. Sony Interactive Entertainment admitted to a data breach due to an SQL injection attack exploiting vulnerabilities in Progress Software's MOVEit file transfer software, affecting the data of nearly 6,791 US employees. Sony reportedly took its MOVEit system offline on discovery of the breach. The MOVEit vulnerability has affected over 400 organizations and 20 million individuals to date. Sony also confirmed a second breach by group Ransomed.vc, marking two breaches in the last four months. Lastly, software firm Blackbaud has been fined nearly $49.5 million by attorneys general from all 50 U.S. states over its inadequate data security practices and response during a ransomware attack in 2020.

Microsoft has urged Microsoft 365 email senders to authenticate their outbound messages in response to Google's stricter anti-spam rules for bulk senders. Enhanced email authentication can improve email deliverability and maintain the reputation of an organization's email campaigns. Microsoft 365 service should not be used for bulk emailing as this may lead to emails being blocked or labeled as spam. Organizations wishing to send bulk emails have been advised to use their own on-premises email servers or third-party mass mailing providers. From February 1, 2024, Google will enforce SPF/DKIM and DMARC email authentication for domains that send over 5,000 daily emails to Gmail users, aiming to enhance defenses against email spoofing and phishing. Google will also require bulk senders to provide a one-click unsubscribe option for commercial emails and to process these requests within two days. Google has warned that failure to comply with these requirements could result in email delivery failures or classification as spam.

Flagstar Bank warns that a cyber breach at third-party payment processing and mobile banking provider, Fiserv, has led to the theft of personal information of around 837,390 of its customers in the US. Fiserv was infiltrated through the broad CLOP MOVEit Transfer data theft attack, which exploited a zero-day vulnerability in the MOVEit Transfer product to gain access to systems and steal customer data. Data stolen reportedly comprises customer names and social security numbers (SSNs), although official documentation has redacted the precise nature of the compromised data. This third data breach which Flagstar Bank has suffered since March 2021 follows a previous Clop ransomware attack that affected its Accellion file transfer server and a breach of its corporate network in June 2022 which had impacted over 1.5 million customers. Concerns have been raised about Fiserv’s overall security as the company provides services to hundreds of banks; responses from Fiserv regarding the moving breach affecting further financial institutions and customers are pending.

A bounty of $12,288 has been offered for cracking the seeds used to generate the National Institute of Standards and Technology (NIST) elliptic curves, which were provided by the National Security Agency (NSA). If the bounty is donated to a 501(c)(3) charity, it will be tripled to $36,864. NIST elliptic curves are a crucial part of modern cryptography, the origins of the seeds of which are a subject of much speculation and uncertainty. The offer was made by cryptography specialist Filippo Valsorda, with support from figures known in the field of cryptography and cybersecurity, including professors from Johns Hopkins University and engineers from AWS. These seeds were presumed to be generated by Dr. Jerry Solinas using a hashing algorithm, potentially SHA-1, from hashed English sentences. The challenge mounted could serve dispel concerns about potentially intentional weaknesses in the NIST curves, and also holds historical relevance in modern cryptography. The nature of the challenge suggests it could be completed by anyone with sufficient GPU power and experience in passphrase brute-forcing.

The District of Columbia Board of Elections (DCBOE) confirmed that an unknown number of voter records were stolen in a data breach by a threat actor known as RansomedVC. Attackers accessed the information through the web server of DataNet, the hosting provider for Washington D.C.’s election authority. DCBOE's own servers were not directly compromised. With help from MS-ISAC's Computer Incident Response Team (CIRT), the election board shut down its website to contain the situation. DCBOE initiated a comprehensive security assessment in conjunction with data security experts, the FBI, and DHS. RansomedVC claims to have stolen over 600,000 lines of U.S. voter data and is offering the stolen information for sale on the dark web, with the price undisclosed for now. The threat actor provided a sample record allegedly containing personal details of a D.C. voter as verification of the data's authenticity. An anonymous source informed BleepingComputer on October 3rd that the stolen database was initially offered for sale on the BreachForums and Sinister.ly hacking forums. RansomedVC's recent claims of having breached Sony's systems to steal over 260GB of files were contested by another threat actor known as MajorNelson.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) identify unchanged default credentials in software, systems and applications as the main security misconfiguration leading to cyberattacks. The agencies released a cybersecurity advisory aiming to encourage software manufacturers to adopt secure-by-design and secure-by-default principles. Other top cybersecurity misconfigurations included improper segregation of user and admin rights, and lack of network monitoring. The agencies warned against "privilege creep," where accounts are given permissions beyond their necessary scope, making potential malicious activity harder to spot. The agencies stressed the need for both host-based and network monitoring to successfully identify and prevent potential threats. The agencies have reiterated their call for software companies to adopt and publish their commitment to secure-by-design principles to strengthen cybersecurity.

Cloud computing provider Blackbaud has reached a $49.5 million settlement with attorneys general from 49 U.S. states over a ransomware attack and the resulting data breach that occurred in May 2020. The attack compromised data belonging to over 13,000 Blackbaud business customers and their clients in the U.S., Canada, U.K., and the Netherlands. This sensitive data included demographic details, Social Security numbers, driver's license numbers, financial records, employment data, wealth information, donation histories, and protected health information. The settlement addresses allegations that Blackbaud violated state consumer protection laws, breach-notification regulations, and the Health Insurance Portability and Accountability Act (HIPAA). As a part of the settlement, Blackbaud also has to take certain actions, including implementing a consolidated risk management strategy and undergoing annual, independent, third-party cybersecurity reviews, among others. Previously, in March this year, Blackbaud had agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC). The charges alleged that the company failed to disclose the full impact of the 2020 ransomware attack. In the context of these settlements, Blackbaud is reportedly facing multiple lawsuits including 23 proposed consumer class action cases related to the May 2020 security breach in the U.S. and Canada.

The Federal Trade Commission (FTC) has reported that Americans lost at least $2.7 billion to social media scams since 2021, a figure projected to be greater due to under-reporting. Research indicated that only 4.8% of scam victims lodged complaints with the Better Business Bureau or a government agency. A range of tactics is employed by scammers, including advertising fake products, offering false investment opportunities, and posing as romantic prospects. The FTC advised consumers to be cautious and safeguard themselves against such scams, limiting their social media posts, scrutinizing unsolicited contacts, and checking the credibility of companies before making online purchases. The FTC revealed that online shopping scams constituted the most frequently reported scams on social media, accounting for 44% of reports. The warning follows an earlier FTC report of a surge in social media fraud during 2021, with a record $8.8 billion losses to varied scam types reported by consumers in 2022.