Daily Brief

Microsoft's AI-powered Bing Chat, an interactive search experience, is mistakenly serving ads that lead users to malware-distributing sites, according to cybersecurity firm Malwarebytes. Bing Chat, launched by Microsoft in February 2023, began experimenting with the placement of ads in conversations a month later, unintentionally providing an avenue for threat actors to distribute malware. Threat actors are taking advantage of the chatbot, inserting malicious ads into a Bing Chat conversation. When users hover over certain links, an ad is displayed first, which can lead to booby-trapped sites. One example highlighted by Malwarebytes shows a rogue installer configured to run a Visual Basic Script. The payload of the malware is not known yet. A threat actor managed to infiltrate the ad account of a legitimate Australian business to create the offending ads. This discovery highlights the need for users to be cautious about clicking on unsolicited links, even when they appear legitimate, and to be suspicious of urgent or threatening messages asking for immediate action. Other recent cyberattacks have targeted the hospitality sector, leveraging steals to access accounts and phishing emails that seem innocuous but direct recipients to insert their Microsoft credentials.

The North Korean 'Lazarus' hacking group successfully breached a Spanish aerospace company’s network using 'LightlessCan', a previously unknown backdoor. Lazarus conducted the attack using their ongoing "Operation Dreamjob" campaign where they approach a target, engage in a fake recruitment process, and trick the victim into downloading a malicious file. Cybersecurity firm, ESET, found that Lazarus initiated the attack with a LinkedIn message, pretending to be a Meta (Facebook) recruiter named Steve Dawson. LightlessCan, identified as the successor to BlindingCan, has a more sophisticated code structure, different indexing, and enhanced functionality. Version 1.0 supports 43 commands but has 25 unimplemented commands in its code. ESET revealed that one of the payloads of LightlessCan was encrypted and could only be decrypted with a key dependent on the target's environment, preventing outside access by security researchers or analysts. The hacking campaign and the new LightlessCan payload indicates Lazarus' objectives are not limited to financial gains – but also extend to espionage. Their continued activity presents an ongoing threat to potential target organizations.

Progress Software released urgent hotfixes to correct a critical security flaw and seven other vulnerabilities in WS_FTP Server Ad hoc Transfer Module and the WS_FTP Server manager interface. The most severe flaw, tracked as CVE-2023-40044, has a CVSS score of 10.0, indicating maximum severity, and impacts all versions of the software. This flaw allows a pre-authenticated hacker to execute remote commands on the underlying WS_FTP Server operating system through a .NET deserialization vulnerability in the Ad Hoc Transfer module. Researchers Shubham Shah and Sean Yeoh from Assetnote discovered and reported this vulnerability. Additional flaws affect versions of WS_FTP Server prior to 8.8.2, making them attractive targets for ransomware groups such as Cl0p, thus highlighting the importance of swift patch application. Alongside issuing the hotfixes, Progress Software is also managing the fallout from a major hacking of its MOVEit Transfer secure file transfer platform since May 2023, which is estimated to have affected over 2,100 organizations and 62 million individuals.

Cisco issued a warning about an attempted exploitation of a security flaw in its IOS Software and IOS XE Software that could permit a remote attacker to execute code on affected systems. The medium-severity vulnerability has been tracked as CVE-2023-20109 with a CVSS score of 6.6 and affects all versions of the software with the GDOI or G-IKEv2 protocol enabled. An attacker could exploit the vulnerability by gaining administrative control of either a group member or a key server, causing the affected device to execute an arbitrary code or crash. The vulnerability was discovered during an internal investigation and source code audit launched after an attempted exploitation of the GET VPN feature. Cisco also detailed another set of five flaws in its Catalyst SD-WAN Manager that could allow an attacker to gain unauthorized access or a denial of service condition on affected systems. Customers are urged to upgrade to a fixed software release to remediate these vulnerabilities.

Chinese cybercriminals reportedly stole approximately 60,000 emails from the US State Department over the summer. The targeted emails were from unclassified systems held on Microsoft's cloud platform, as no signals of classified systems being breached was found. The data theft implicated ten State Department officials, with nine of them focused on Indo-Pacific diplomacy. The stolen email data included diplomatic discussions, travel plans, and the officials' social security numbers. The hackers also procured a list of all State Department email addresses, potentially paving the way for future phishing efforts or other social-engineering schemes. The State Department discovered the breach in July and alerted Microsoft, which traced the intrusion back to a China-based threat actor known as Storm-0558. During the intrusion, the cybercriminals accessed email data from around 25 organizations, including the US Commerce Department. US authorities have not officially accused China or its cyber-espionage groups for the data breach but have expressed their agreement with Microsoft's attribution. This intrusion represents an increasing concern over cyber-espionage threats from China, as evidenced by recent warnings from US and Japanese governmental and cybersecurity agencies.

Progress Software has urged its customers to urgently patch several critical vulnerabilities found in its WS_FTP Server software. Two of the flaws are rated as critical, with one (CVE-2023-40044) getting a perfect severity score of 10 out of 10; it allows unauthenticated attackers to execute remote commands after exploitation of a .NET deserialization vulnerability. The other critical bug (CVE-2023-42657) is a directory traversal vulnerability that allows attackers to perform file operations outside the authorized WS_FTP folder path. The company says the vulnerabilities, particularly CVE-2023-40044, can be exploited with low complexity and without user interaction. Progress Software has advised its customers to upgrade to WS_FTP Server version 8.8.2 to address the vulnerabilities. The company is also still dealing with the aftermath of a widespread data theft attack exploiting a zero-day vulnerability in its MOVEit Transfer file-sharing platform, with more than 2,100 organizations and over 62 million individuals affected. Despite this, the firm reported a 16% year-on-year increase in revenue for its fiscal third quarter ending on August 31, 2023.

The Privacy and Civil Liberties Oversight Board (PCLOB) has voted 3-2 in favor of reauthorizing Section 702 spying powers for federal agencies, but with strengthened protections for US citizens. The PCLOB supports all 19 recommendations in a report about Section 702, which include a stipulation that FBI agents should get approval from the Foreign Intelligence Surveillance Court before reviewing Americans' electronic communications. The board also supports the requirement of probable cause as the standard for court approval before federal agencies can run warrantless Section 702 queries on US citizens to recover evidence of purported crime. Section 702 of the Foreign Intelligence Surveillance Act allows US intelligence agencies to surveil foreigners' overseas communications and includes data on Americans if they are a part of those communications. Two Republicans on the PCLOB argue for reforming the FBI to better incorporate privacy and civil liberties into its operations, rather than changing the surveillance program itself. Despite the renewed focus on protection measures, privacy and civil liberties advocates argue that spying on Americans won't stop unless Congress gives Section 702 a significant overhaul. The board's recommendations were praised by the Center for Democracy and Technology (CDT), most notably the request for the requirement of FISA court approval for US person queries. The CDT emphasized that the limiting scope of surveillance is the most important reform.

Chinese hackers have stolen nearly 60,000 emails from the official accounts of US State Department via a breach in Microsoft's Exchange email platform. The hackers also obtained a complete list of the department's email accounts. The breach was first noticed in May and primarily affected personnel working on Indo-Pacific diplomacy efforts, via Outlook accounts of officials within East Asia, the Pacific, and Europe. In July, Microsoft admitted that the breach resulted in the compromise of accounts related to around 25 organisations, which included the US State and Commerce Departments. However, the company failed to disclose the specific details about the attack's ramifications. The attack was reportedly orchestrated by a group known as Storm-0558, with the objective of stealing sensitive data via email systems. The group managed to acquire a consumer signing key through a breach, enabling them to exploit a zero-day validation vulnerability and impersonate accounts within the targeted organizations. Microsoft has subsequently revoked the stolen signing key and found no further instances of unauthorized access. The tech giant also agreed to broaden access to cloud logging data, under pressure from the Cybersecurity and Infrastructure Security Agency, a move intended to aid in the identification of future breach attempts. Senator Eric Schmitt emphasised the need to strengthen the federal government's cyber defenses and scrutinize its reliance on a single vendor. He has pledged to continue pushing for action to prevent the nation's sensitive information from falling into the hands of malevolent actors like China.

A new malware campaign has been detected hacking into GitHub accounts and committing malicious code masked as Dependabot contributions, targeting to steal developers' passwords. Checkmarx, the software supply chain security firm, discovered this activity. This malicious code transfers the defined secrets of the compromised GitHub project to a malicious C2 server and modifies any existing JavaScript files in the targeted project with a web-form password-stealer malware, impacting any end-user that submits their password in a web form. The malware has been designed to capture GitHub secrets and variables and sent them to a remote server via a GitHub Action. Checkmarx spotted these unusual commits to several public and private GitHub repositories from 8 to 11 July 2023, with victims' GitHub personal access tokens (PATs) being stolen and used by the attackers to make malicious code commits to users' repositories, posing as Dependabot. Most of the compromised users are based in Indonesia, but the exact theft method remains unclear, though it is thought it might involve a rogue package unknowingly installed by developers. This campaign adds to the continuing attempts by threat actors to disrupt open-source ecosystems and facilitate supply chain compromises, a trend highlighted by a new data exfiltration campaign targeting both npm and PyPI using up to 39 fraudulent packages to collect sensitive machine information and send it to a remote server.

Cisco has issued an advisory detailing a medium-severity security flaw in its IOS and IOS XE software that has been targeted by attackers. The vulnerability, identified as CVE-2023-20109, originates from inadequate attribute validation within the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature. Successful exploitation requires attackers to have administrative control of a key server or group member, implying they have already infiltrated the network. An attacker could execute arbitrary code and gain full control of the affected system or cause it to reload, creating a denial-of-service (DoS) condition. The zero-day vulnerability impacts all Cisco products running affected IOS or IOS XE software with GDOI or G-IKEv2 protocol enabled. Meraki products, and those running IOS XR or NX-OS software, are not exposed to attacks using this exploit. Despite the considerable access required, Cisco has already noted attempted exploitations of the vulnerability. Cisco also addressed a critical flaw in the Security Assertion Markup Language (SAML) APIs of Catalyst SD-WAN Manager network management software, that could enable unauthenticated attackers to remotely gain unauthorized access to the application.

DARPA has performed an initial test dip of a prototype unmanned undersea vehicle (UUV) with PacMar Technologies and Northrop Grumman. Both these companies are developing prototypes for DARPA's Manta Ray program, which aims to enhance America's next-generation undersea power projection capabilities. The test sought to gain insights into key systems of the vehicle, validate assumptions and models, and extract valuable data in preparation for upcoming full-scale at-sea demonstrations. The Manta Ray program focuses on creating a craft that can operate for extended durations without logistic support or maintenance. DARPA intends for these crafts to be able to harvest energy at relevant operational depths, leverage ocean wave energy, current energy, and ocean thermal energy. Future improvements to the prototype will include new approaches to mitigate biofouling, corrosion, and other material degradation for long-duration missions.

Microsoft's AI-powered Bing Chat was found to be infiltrated by malware, through malicious advertisements that promote fake download sites. Bing Chat, introduced by Microsoft in 2023 to compete with Google, incorporates ads into the chat to generate additional revenue. However, this has opened up opportunities for cybercriminals to use these ads to distribute malware. Scams observed include fake download sites pretending to offer popular utilities, such as 'Advanced IP Scanner' which has been previously used by RomCom RAT and Somnia ransomware operators. The malware attack uses ad accounts of legitimate businesses to create sponsored links, which direct users to websites aiming to deploy malware. After verifying the user is a human, the victims are redirected to a replica site, tricking them into downloading a malicious script. Cybercriminals are exploiting the trust-based interaction Bing Chat offers, as unwarranted trust may lead users to click on these ads, judge promoted content as reliable and fail to double-check URLs. Despite the specifics of malwares being unclear, prior similar operations showed that threat actors often distribute information-stealing malwares or deploy remote access trojans for potential account and network breaches.

The FBI has reported a new trend in ransomware attacks where multiple malware types are employed within a 48-hour period, contrasting with a typical minimum of 10 days between such attacks. Ransomware affiliates are said to be using two distinct variants, causing a mix of data encryption, loss, and significant financial losses from ransom payments. Variants including AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal have been reported, leading to increased harm to targeted entities. Alongside this trend, ransomware gangs have been developing code to avoid detection by incorporating new code within their custom data theft tools, wipers and malware. The FBI has recommended maintaining close connections with their Field Offices, applying mitigation measures outlined in their recent Private Industry Notification, and conducting thorough scans of infrastructures for potential backdoors and vulnerabilities. Other recommendations include securing all remote access solutions via VPN, enforcing multi-factor authentication, implementing network segmentation to isolate critical servers, and identifying patch-vulnerable devices via network-wide audits and scans.

Cisco has issued a warning regarding five new vulnerabilities identified in its Catalyst SD-WAN Manager products; the most critical one allows unauthorized remote access to servers. The most severe vulnerability (CVE-2023-20252), scored 9.8 out of 10 by the Common Vulnerability Scoring System (CVSS), is due to issues with the Security Assertion Markup Language (SAML) application programming interfaces (APIs). It can be exploited by sending special requests to the SAML APIs, generating authorization tokens and gaining unconditional application access. The vulnerability opens up the potential for user impersonation, unauthorized data access/modification/deletion, and service disruption. The remaining vulnerabilities are less severe; CVE-2023-20034 is remotely exploitable without requiring authentication but its severity is minimized as the access is limited to the Elasticsearch database. The flaws impact various versions of Cisco Catalyst SD-WAN Manager; the most crucial one to fix, CVE-2023-20252, affects versions 20.9.3.2 and 20.11.1.2. The latest available version, Catalyst SD-WAN Manager 20.12, is the safest to upgrade to. Cisco has advised that there are no workarounds available for these fixed flaws, and the only recommended action is to upgrade to a patched release. Currently, there are no reports of these flaws being actively exploited, but Cisco urged customers to upgrade to the recommended versions urgently.

Sam Curry, a security researcher, was detained and investigated by US border officials and federal agents after his IP address was detected in a cryptocurrency wallet associated with a phishing scam. A grand jury subpoena was issued and Curry's devices were searched at Dulles International Airport when he returned from Japan. The suspect wallet was linked to a scam Curry had been involved in investigating in his professional capacity. After several days of engagement and clarification by his lawyer, the subpoena was dismissed and all data seized from Curry's devices were deleted. Curry is a significant player in the security field, having discovered and reported flaws in the APIs of major car companies and airline reward programs. His experience raises awareness about the fact that merely being a security researcher does not exempt one from the scrutiny of law enforcement should one's IP or system fingerprint be found in assets related to criminal activity. BleepingComputer reports that their inquiries to DHS, CBP, and IRS CI received no response at the time of publishing.