Daily Brief

Cybersecurity research conducted by Stefan Proksch from Certitude revealed bypassable vulnerabilities in Cloudflare's Firewall and DDoS protections. The logic flaws that allow an attack are found in the cloud service provider's cross-tenant security controls. To exploit the vulnerabilities, attackers must know the targeted web server's IP address and create a free Cloudflare account. This allows them to bypass security measures, placing other Cloudflare customers at risk. The vulnerabilities specifically impact two Cloudflare features: Authenticated Origin Pulls and Allowlist Cloudflare IP Addresses. These security measures verify that HTTP(S) requests sent to an origin server come through Cloudflare and that the only allowed traffic originates from Cloudflare's IP address range. Proksch found that attackers with a Cloudflare account could tunnel malicious traffic through the infrastructure or direct it to other Cloudflare clients. Mitigation of this weakness requires the usage of custom certificates rather than those generated by Cloudflare. The security findings were reported to Cloudflare via HackerOne in March 2023. As of now, there is no confirmation on whether Cloudflare will implement additional protection mechanisms or warn clients with potentially risky configurations.

The U.S. Federal Bureau of Investigation (FBI) has warned about a growing trend since July 2023 where cyber actors target victims with two different ransomware variants, with attacks often happening closely together. The targeted companies were attacked by ransomware combinations involving AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal, leading to data encryption, exfiltration, and financial losses due to ransom payments. The FBI has noticed that these attacks increasingly use custom data theft, wiper tools and malware to pressurize victims into paying the ransom. Organizations are being encouraged by the FBI to bolster their defenses by maintaining offline backups, monitoring external remote connections and remote desktop protocol use, enforcing multi-factor authentication, auditing user accounts, and segmenting networks. These dual ransomware attacks are an evolution of a phenomenon observed as early as May 2021, with a growing trend in the cybersecurity landscape involving the exploitation of zero-day vulnerabilities and the proliferation of initial access brokers and affiliates who resell access to victim systems and deploy varying strains of ransomware quickly.

Iranian-backed Advanced Persistent Threat (APT) group, OilRig, has been linked to spear-phishing campaigns that deliver a new strain of malware named Menorah, designed for cyber espionage. Trend Micro researchers revealed that the malware can identify the specifications of the infected machine, read and upload the machine's files and download additional malicious files. It is not immediately clear who the targets of these attacks are, but decoys used indicate that at least one is an organisation based in Saudi Arabia. OilRig, also known under a variety of other names including APT34 and Cobalt Gypsy, specializes in covert intelligence gathering and maintaining access within targeted networks. Recent findings suggest that OilRig is continuously developing its capabilities, with a recent phishing attack resulting in the deployment of a new variant of SideTwist malware. The Menorah malware, which is .NET based, has various capabilities including fingerprinting the targeted host, listing directories and files, uploading selected files from the compromised system, executing shell commands, and downloading files to the system. Given its resources and varied skill set, APT34 will likely persist in customising routines and social engineering techniques as part of its ongoing cyber espionage operations.

Multiple security flaws have been discovered in the Exim mail transfer agent that could allow for information leakage and remote code execution if adequately exploited. The most severe one, CVE-2023-42115, permits remote, unauthenticated attackers to run arbitrary code on affected Exim installations, stemming from inadequate validation of user-provided data. Fixes for issues CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116 are currently available in a secure repository and ready for application by the distribution overseers. The Zero Day Initiative (ZDI) recommends restricting interaction with the Exim application as a key mitigation strategy in the absence of patches for the remaining issues. This incident follows previous revelations of security flaws in Exim, including a set of 21 vulnerabilities, known as 21Nails, disclosed by Qualys in May 2021, and a critical Exim vulnerability exploited by Russian state-sponsored group Sandworm reported by the U.S government in May 2020. Recent research from the University of California San Diego highlighted a new method named forwarding-based spoofing that utilizes weaknesses in email forwarding to send emails impersonating legitimate entities, compromising email integrity.

The building and automation company, Johnson Controls International, was targeted by a ransomware attack from Dark Angels group, resulting in the alleged theft of 27 TB of data from 25 different file servers. The effects of recent Clop ransomware attacks continue with the National Student Clearinghouse reporting a data breach impacting 890 educational institutions, and BORN Ontario child registry disclosing a breach impacting approximately 3.4 million individuals. The Hospital for Sick Children, also known as SickKids, was affected by the BORN Ontario security breach. A large Michigan health service provider confirmed that it faced a ransomware attack. FBI has noted an escalation in ransomware attacks, with victims increasingly facing multiple strains infiltrating their networks in less than two days. Reports cite a range of new ransomware variants discovered by cybersecurity researchers. Security researchers have identified infrastructure belonging to a threat actor, ShadowSyndicate, linked to multiple ransomware deployments over the past year. The Snatch ransomware group has been found to be leaking data about its location and operations, as well as IP addresses of its site visitors.

Microsoft Bing Chat was discovered sending harmful ads – malvertising – distributed in Bing Chat conversations, identified by cybersecurity firm Malwarebytes. These harmful ads require the user to click on them to cause damage, such as phishing their login details, pushing malware downloads or exploiting bugs to hijack their computers. The problem originated from the ad account of a legitimate Australian business being compromised. Microsoft Inc., later confirmed that they have removed these ads and blocked the advertiser. They said they are continuing to monitor their ad network for similar accounts. Security firm Confiant reported that in 2022, 0.21 percent of the ads delivered across all server-side ad platforms contained security violations. Malwarebytes explained that malvertising has been a top web delivery vector for malware and scams regardless of the user's operating system or location for many years. Threat actors range from amateur to professional and those with more skills and specific user targets are usually more difficult to detect and stop. This incident reiterates the challenge of mitigating malvertising threats and the importance of prudent web browsing habits and software updates.

A zero-day vulnerability in all versions of Exim mail transfer agent (MTA) software has been discovered, potentially exposing millions of servers to remote code execution (RCE) attacks. The security bug, disclosed via Trend Micro's Zero Day Initiative (ZDI), was found by an anonymous researcher and is due to an Out-of-bounds Write weakness found in the SMTP service, which can lead to data corruption or unauthorized code or command execution. The developers have not provided an update on their patch progress, resulting in ZDI publishing an advisory on the zero-day, with a full timeline of exchanges with the Exim team. MTA servers, which are frequently internet-accessible, are particularly vulnerable to this bug, making them easy entry points into a network for attackers. The most recent data indicates that over 3.5 million Exim servers are currently exposed online, primarily in the US, Russia and Germany. Until a patch is available, admins have been advised to restrict external access to the servers as a temporary countermeasure.

Mohamad Al Bared, a 26-year-old Doctorate student at Birmingham University, has been convicted of constructing a potentially lethal drone for ISIS using his 3D printer at home. Al Bared was found guilty of preparing terrorist acts to benefit a proscribed organization and now faces a possible life sentence. The one-use, video-transmitting drone, which bore similarities to the design of the Tomahawk missile, was supposedly showcased in an ISIS propaganda video shared on Telegram. Aside from the drone, the police also uncovered an ISIS application form and other evidence affirming his support for the terrorist group in Al Bared's confiscation of phones, laptops, and hand-written notes with recipes for chemical weapons. The prosecution argued that Al Bared sought to replicate Russian drone attacks in Ukraine and intended for the drones to cause significant casualties in densely populated areas. According to encrypted messages and digital communication, Al Bared researched chemicals such as sarin, ricin, and mustard gas along with mechanical detonators and an "explosive" head for the drone. Al Bared failed to convince the court that he built the drone and studied ISIS materials for research purpose to fight against the terror group at his mosque.

Proof-of-concept (PoC) exploit code for a critical authentication bypass vulnerability in Microsoft SharePoint Server has been published on GitHub. The flaw is known as CVE-2023-29357. Attackers exploiting this flaw can gain administrator privileges without any user interaction, using spoofed JWT authentication tokens to execute a network attack that bypasses authentication. STAR Labs researcher Nguyễn Tiến Giang detailed the exploitation process to include the CVE-2023-29357 bug and a second critical flaw, CVE-2023–24955, in a recent technical analysis. The second flaw enables remote code execution via command injection. Nguyễn showed a successful remote code execution on Microsoft SharePoint Server using this exploit chain in March 2023, winning a $100,000 prize at the Pwn2Own contest in Vancouver. The posted exploit on GitHub does not offer the full exploit chain for remote code execution. However, attackers may combine this exploit with the CVE-2023-24955 bug to achieve this. Microsoft has released security patches for these flaws and network administrators are urged to apply them immediately to prevent attacks.

Kaspersky has reported the emergence of a new crypter and loader malware, ASMCrypt, that loads malware payloads without being detected by antivirus or endpoint detection and response tools. ASMCrypt, described as an evolved version of another loader malware called DoubleFinger, was previously used to propagate a cryptocurrency stealer named GreetingGhoul across Europe, the U.S., and Latin America. Crypters and loaders are becoming a popular tool for threat actors, used for initial network access for conducting ransomware attacks and data theft. Other similar malware includes Bumblebee, CustomerLoader, and GuLoader. CustomerLoader may work as a "loader-as-a-service," used by multiple threat actors. Bumblebee has been utilized in a new distribution campaign using Web Distributed Authoring and Versioning (WebDAV) servers after a brief hiatus. Establishing a growing trend in the cybercrime economy, groups originally believed to be separate have teamed up, shown by a "dark alliance" seen between GuLoader and Remcos RAT. GuLoader has been used predominantly for distributing Remcos RAT and is now sold as TheProtect, a crypter that is fully undetectable by security software. New versions of Lumma Stealer, an information-stealing malware, have been detected. This malware is distributed via a fake website, and when a file is uploaded, the site returns a malicious binary pretending to be a PDF that steals sensitive data from the infected host. Lumma Stealer is an evolved version of the known malware Arkei.

Sebastien Raoult, a 22-year-old French national and a member of the hacking group ShinyHunters, has pleaded guilty in a U.S. court for conspiracy to commit wire fraud and aggravated identity theft. Raoult was apprehended in Morocco in 2022 and extradited to the U.S. in January 2023. His hacking activities reportedly resulted in damages exceeding $6 million. The guilty plea comes as Raoult and co-conspirators are accused of hacking into corporate computers to steal company and customer data, which was subsequently sold on various online forums under the ShinyHunters alias. The stolen data reportedly reached into the hundreds of millions of records. Between April 2020 to July 2021, datasets from over sixty companies were posted for sale by the ShinyHunters group. In some instances, the same company's data was sold multiple times; ransoms of up to $425,000 were also demanded from certain victims. The group also relied on cryptomining to augment its illicit proceeds, billing for the use of computing power to the victimized companies' cloud computing providers. Legal repercussions for Raoult could reach as high as up to 27 years in prison for his wire fraud conspiracy conviction, and at least an additional two years for his aggravated identity theft conviction.

Norway has expressed its desire for the European Data Protection Board (EDPB) to ban user data harvesting by Meta, particularly for advertising on Facebook and Instagram across Europe. This arises from an ongoing conflict between Meta and Norway's Data Protection Authority, Datatilsynet. The ban request was initiated after a Court of Justice of the European Union (CJEU) ruling, which clarified that Meta's data processing activities also included protected data (e.g., race, ethnicity, religious affiliation, sexual orientation) during behavioral marketing. Despite not being part of the EU, Norway is part of the single market and holds equal jurisdiction under the CJEU to ensure the implementation of European law and treaties. Meta previously insisted that its users gave consent for targeted advertising when agreeing to the Terms and Conditions. However, the CJEU did not accept this argument, and Datatilsynet argues for a consistent interpretation of the General Data Protection Regulation (GDPR) throughout the EU/EEA. Meta, which has been dealing with GDPR lawsuits for years, announced the intention to seek explicit consent from users for their personalized advertising data. The company expressed surprise at the actions of the Norwegian authority, given its commitment to consent basis for advertising in the EU/EEA. Notably, the United Kingdom was excluded from Meta's shift towards a consent basis for data processing, even though UK GDPR rules are similar to EU rules. The UK government, however, plans to replace the EU legislation, which could potentially affect UK businesses collecting and processing EU data.

Numerous users of the social platform Discord have reported that they are unable to access their accounts, with a "Sorry, you have been blocked" message appearing on-screen. Issue reports on Downdetector showed a sharp increase, which occurred concurrently with the start of the issues reported by users. Discord's engineers are currently investigating the sudden increase in API errors as a potential cause of this issue. No official explanation for the problem has been provided by Discord as yet, other than an acknowledgement on their Twitter support handle. Some users speculate that scheduled maintenance on Cloudflare could be the root cause, as this has reportedly affected other online platforms in addition to Discord. With some users already regaining access, this appears to be a temporary technical issue rather than a ban for policy violations, and a complete resolution is expected soon.

North Korea-affiliated Lazarus Group carried out a cyber espionage attack on an unnamed Spanish aerospace company, using a recruiter impersonating a Meta Platforms employee on LinkedIn. The attack forms part of a campaign dubbed "Operation Dream Job," in which target employees are encouraged to open a malicious executable file pretending to be a coding quiz or challenge. The payload delivered in the latest attack is a complex tool named LightlessCan, a tool exhibiting considerable sophistication in its design and operation, offering a significant advance over its predecessor, BLINDINGCAN. To initiate the attack, the victims receive a LinkedIn message from the fake recruiter, who sends two coding challenges via third-party cloud storage platforms, which contain malicious Quiz1.exe and Quiz2.exe files. Once executed, these files facilitate the introduction of an HTTP(S) downloader called NickelLoader, which can deploy any software into the victim's device memory, including the LightlessCan remote access trojan, and a variant of BLINDINGCAN, miniBlindingCan. Reflecting its advanced design, LightlessCan can mimic a wide range of Windows commands and has implemented 43 out of 68 possible distinct commands to date.

Quantum computing advances risk breaching commonly used RSA encryption, potentially compromising a vast amount of digital data. Even if encrypted, captured data could be decrypted in the future once quantum computers are more accessible, posing a retrospective security risk. Post-quantum cryptography (PQC) could prove a solution, offering resistant algorithms to attacks from both classical computers and quantum ones. PQC has recently begun to appear in consumer applications due to growing awareness of quantum threats and enhanced maturity of PQC algorithms. Hybrid cryptography, such as that implemented by messaging app Signal, uses PQC to enhance existing encryption systems, boosting resistance against quantum threats. As quantum computing develops considerable momentum, PQC may need to become a standard feature in consumer applications to ensure user data is protected both presently and in the future.