Daily Brief

Password-based authentication is an enduring cybersecurity vulnerability, as bad actors can gain access to numerous stolen credentials via the dark web, potentially compromising both personal and business data. The predictability of human behavior compounds the current weaknesses in password-based authentication as many users opt for weak, easy-to-remember passwords or reuse the same across multiple accounts. Brute-force attacks, using automated login attempts to identify the correct username and password combinations, are common for infiltrating systems. To mitigate these issues, measures such as limiting unsuccessful login attempts and implementing stronger password complexity requirements are suggested. Additionally, penetration testing of web applications could help catch vulnerabilities. Monitoring password selection using a continuously updated list of breached passwords can also bolster security efforts. Users with compromised passwords should be prompted to change them immediately. A third-party password tool like Specops Password Policy may be useful for windows-based networks using Active Directory for identity and access management, as it offers comprehensive password policy enforcement and continuous compromised password scanning.

Dutch security firm, ThreatFabric, has discovered an updated version of an Android banking trojan named Xenomorph. The malware is now targeting over 35 US financial institutions alongside others in Spain, Canada, Italy, and Belgium. The trojan uses phishing web pages to drive victims into installing malicious Android apps, aiming at a broader range of apps than its antecedents. Xenomorph, a variant of another banking malware named Alien, maintains a feature that allows complete control over the victim's device, enabling an unauthorized transfer of funds to the malware operator's account. The updated version includes various functionalities, such as anti-sleep features, a mimic feature for app impersonation, and overlays for stealing sensitive user information. The malware remains undetectable for long periods by hiding its icon from the home screen and auto-granting permissions by exploiting the device's accessibility services. While previous attacks spread through disguised apps on Google Play Store, the latest wave in mid-August 2023 utilized counterfeit sites offering Chrome browser updates. Investigations reveal that threat actors target multiple operating systems, with payloads also serving Windows stealer malware such as Lumma C2 and RisePro, and malware loader, named Private Loader.

Cybersecurity compliance refers to the fulfillment of rules, set by law, regulatory authorities, trade associations, or industry groups, regarding the protection of sensitive information and customer data. Different sectors have varying cybersecurity needs. Cybersecurity regulations often overlap across industries. For instance, a company in the EU that accepts credit card payments must comply with both credit and banking card regulations (PCI DSS) and GDPR. Multitudes of security frameworks and certifications such as SOC 2, ISO, HIPAA, Cyber Essentials, GDPR, and others, serve different purposes and requirements, depending on the industry and business model. The best-fit compliance standard should be chosen per individual business needs. Automated tools can aid businesses in complying with these standards, often incorporating elements such as risk assessments, encrypted data storage, vulnerability management, and incident response planning. Cybersecurity compliance can be complex and labor-intensive, but can be extremely detrimental if ignored. It can result in breaches, settlements, damaged reputation, heavy fines, and potential loss of business opportunities. Automated platforms such as Intruder integrate with compliance platforms like Drata, and can expedite auditing, reporting, and documentation for compliance, simplifying the processes of cybersecurity compliance.

Fastly's Network Learning Exchange (NLX) Threat Report for Q2 2023 provides unique insights into the cyber threat landscape. Data reveals the High Tech industry was targeted the most, accounting for 46% of attack traffic tagged with NLX. Media & Entertainment sector experienced 56% more attacks tagged with NLX, while the Commerce industry experienced 36% more, and the High Tech industry 24% more. NLX, a collective threat intelligence feed integrated in Fastly's Next-Gen WAF, helps identify and share potentially threatening IP addresses across all customer networks. Of analyzed attacks, 32% were Traversal, 28% were SQL Injection, 20% were Cross Site Scripting, 13% were OS Command Injection, and 7% were Log4j JNDI lookups. Attack traffic patterns indicated malicious activities spanned multiple industries, with 69% of IPs targeting multiple customers and 64% targeting multiple industries. Autonomous Systems (AS) analysis revealed Akamai Connected Cloud, Amazon, M247 Europe SRL, DigitalOcean, and Scaleway as major sources of NLX traffic. The report stresses the importance of actionable intelligence, using signals, and inspecting traffic regardless of its source to enhance security and reduce vulnerabilities.

Chinese state-sponsored hacker group, TAG-74, has launched a multi-year cyber espionage campaign targeting South Korea's academic, political, and government organizations. The cyberattacks are reportedly linked to Chinese military intelligence and pose a significant threat to various sectors, including academia, aerospace, defense, government, military, and politics in South Korea, Japan, and Russia. TAG-74 has been targeting South Korean academic institutions in particular, aligning with China's broader agenda of intellectual property theft and expansion of influence. The hackers use social engineering attacks and Microsoft Compiled HTML Help (CHM) file lures to deploy a custom variant of an open-source Visual Basic Script backdoor called ReVBShell, which is then used to install the Bisonal remote access trojan. TAG-74 is said to be closely related to another Chinese hacking group, Tick, reflecting extensive tool sharing among Chinese threat groups. Security firm Recorded Future expects TAG-74’s espionage activities to retain their focus on South Korea over many years, while also targeting strategic targets within Japan and Russia.

Ukraine's State Service of Special Communications and Information Protection (SSSCIP) reported that Russian cyber spies have doubled their espionage operations on Ukrainian servers, aiming to find evidence of alleged Russian war crimes. Typically, five serious incidents that necessitate the involvement of Ukraine's Computer Emergency Response Team occur daily. The Russian intelligence service also increasingly targeted private sectors in efforts to monitor the results of kinetic operations, including missile and drone assaults, and to examine the strategies of government contractors and supply chain members. Despite the intensifying attacks, Ukraine claims it has halved the success rate of its adversaries, recording only 27 critical cyber incidents and attacking the energy grid less frequently in the first half of 2023 compared to the second half of 2022. FSB's cyber unit, Gamaredon, was the most active throughout the year, leaping from 128 in 2022 to 103 operations in the first half of 2023. However, only 11 of these incidents were deemed of critical or high-severity. Meanwhile, the destructive attacks were primarily orchestrated by GRU's Sandworm, which included erasing servers, data storage systems, and disabling networks. The country's cybersecurity head, Victor Zhora, warns that he expects Russia's online assaults on Ukraine to persist long after the cessation of the physical war.

Security researchers discovered infrastructure linked to a hacking group known as ShadowSyndicate, believed to have deployed seven different ransomware families in attacks over the past year. The group may act as an initial access broker (IAB), with evidence suggesting their affiliation to multiple ransomware operations. The threat actor's activities were identified based on a distinct SSH fingerprint found on 85 IP servers. ShadowSyndicate used various tools in their attacks, including the Sliver penetration tool, the Matanbuchus MaaS loader, and the Meterpreter Metasploit payload. Analysis revealed that all 85 servers were linked to 18 different owners, 22 different network names, and 13 different locations. The researchers linked ShadowSyndicate's activities to Quantum, Nokoyawa, and ALPHV/BlackCat ransomware attacks. While evidence suggests a connection to various high-profile ransomware operations, such as Ryuk, Conti, and Clop, a direct link is yet to be confirmed. Group-IB, the firm that discovered the information, invites external researchers to collaborate to further uncover the group's operations.

The BORN Ontario data breach impacted 3.4 million people and has had significant effects on The Hospital for Sick Children, known as SickKids. The breach occurred due to the exploitation of a zero-day vulnerability in Progress MOVEIt Transfer software. SickKids, along with many other Ontario healthcare providers, shares sensitive health information with BORN Ontario, a perinatal and child registry that collects and protects data relating to pregnancies and births. BORN Ontario uses this data to identify care gaps affecting individuals, connect information to suitable care providers, conduct health system quality assurance, and analyse data for emerging trends. The breach exposed a minimum of personal health information related to pregnancy, birth and newborn care, and depending on the type of care received, other data might also be exposed. It is currently unclear how many SickKids patients and associates were affected, and the hospital refers those interested to BORN Ontario's webpage for further details. This is the second major digital security blow SickKids has suffered in recent times, as it was targeted by the LockBit ransomware group in December last year.

A critical security flaw found in JetBrains TeamCity (CI/CD) software puts affected systems at risk of a remote code execution by unauthorized attackers. The vulnerability, tracked as CVE-2023-42793, carriers a high severity rating of 9.8. The flaw was responsibly disclosed on September 6, 2023, and has been addressed in TeamCity version 2023.05.4. The possible effects of exploiting this vulnerability include stealing source code, service secrets and private keys, controlling attached build agents and polluting build artifacts. There is potential for threat actors to gain access to the build pipelines and insert arbitrary code leading to an integrity breach and supply chain compromises. JetBrains recommends users perform a prompt upgrade. The software company has also released a security patch plugin for TeamCity versions 8.0 and above as a specific solution for the flaw. Other high-severity flaws have been disclosed in Atos Unify OpenScape products, allowing low-privileged attackers to execute arbitrary operating system commands as root users, and unverified attackers to access and execute various configuration scripts. Cybersecurity firm Sonar has also disclosed critical cross-site scripting (XSS) vulnerabilities potentially impacting encrypted email solutions, including ProtonMail, Skiff and Tutanota.

Hong Kong-based cryptocurrency firm Mixin Network has suspended all deposit and withdrawal services after hackers stole approximately $200 million in funds. The hack took place after the firm's cloud service provider’s database was attacked. Mixin did not reveal the identity of its cloud service provider and has enlisted assistance from Google and blockchain security company SlowMist to conduct an investigation. Google-owned Mandiant also confirmed its involvement in cleanup operations. The company plans to resume services once identified vulnerabilities are fixed and measures taken to ensure protection against similar incidents. Founder Feng Xiaodong plans to discuss the breach in detail in a live stream, with English summaries of the discussion to follow. Open-source banking enthusiast KnowBe4 Security Awareness Advocate James McQuiggan pointed towards inherent vulnerabilities in the system, emphasizing the damaging effects such a breach can have on trust in an organization or entity. Mixin's loss follows closely after North Korea's Lazarus Group was blamed for a $54 million heist against another Hong Kong exchange CoinEx. Over the past 104 days, nearly $240 million has been stolen from five different hacks, some of which have been linked back to North Koreans.

The Better Outcomes Registry & Network (BORN), an Ontario-based healthcare organization, has suffered a data breach affecting approximately 3.4 million people. The breach was part of a broader series of attacks by Clop ransomware leveraging a zero-day vulnerability (CVE-2023-34362) in the Progress MOVEit Transfer software. BORN became aware of the security breach on May 31 and took measures to isolate the impacted servers and contain the threat. The threat actors copied files containing sensitive information of primarily newborns and patients undergoing pregnancy care who had used BORN services between January 2010 and May 2023. BORN states there is currently no evidence of any stolen data circulating on the dark web or being misused for fraudulent purposes. The organization advises potentially impacted individuals to treat unsolicited communications with caution, and report any suspected fraudulent activity to the police and service providers.

Google will retire Gmail’s Basic HTML view in January 2024, requiring users to use modern browsers to access the webmail's Standard view. The Basic HTML view was a simplified version of Gmail supporting users with limited internet access, using older hardware, legacy web browsers or required tools like text-to-speech for the visually impaired. While Google did not provide specific reasons for its decision, users were notified in email notifications stating: "Once basic HTML view is disabled, users will automatically be redirected to the standard Gmail view which provides the latest in Gmail security and features." After the retirement date, only the Gmail service's Standard view will remain active, and users reliant on the Basic HTML view should prepare to transition or switch to desktop email clients. The retirement may impact those who need accessible features as the Basic HTML view often performs better with text-to-speech tools due to fewer technical complexities. Users of older hardware may prefer lightweight clients like Mozilla Thunderbird and Microsoft Outlook, over web-based platforms, while Thunderbird is known to work well with screen readers and offers display adjustment options for users with visual impairments.

Security researchers have discovered a new campaign distributing a new version of the Xenomorph Android malware, targeting users in the United States, Canada, Spain, Italy, Portugal, and Belgium. The newest version of the malware is focusing on users of cryptocurrency wallets and various U.S. financial institutions. Xenomorph, a banking trojan, had its origins in early 2022 and initially aimed at 56 European banks using screen overlay phishing. It was distributed via Google Play and had over 50,000 installations. The malware continues to evolve, with new versions said to be more modular and flexible. Its current distribution method involves a dropper named "BugDrop" that bypasses security features in Android 13 and a distribution platform "Zombinder" that embeds the threat in genuine Android apps' APK files. Users are primarily tricked into downloading the malicious APK via phishing pages posing as Chrome browser updates. The newest versions of the malware come with features enabling it to mimic other applications and simulate screen taps, bypassing certain security warnings. Security analysts were also able to uncover additional malicious payloads including the Android malware variants Medusa and Cabassous, the Windows information stealers RisePro and LummaC2, and the Private Loader malware loader through access to the malware operator's payload hosting infrastructure.

Mixin Network, a peer-to-peer digital assets transactional network, has halted deposits and withdrawals following a $200 million hack on September 23. The attack targeted the database of Mixin's cloud service provider. Mixin has promised to take action to address the loss of assets but any specific solutions will be announced at a later date. Blockchain trackers PeckShield and Lookonchain have identified about $141 million of the stolen assets. Despite suspicions due to their history with crypto heists, the Lazarus group of North Korean hackers has not been tied to the Mixin incident. This hack ranks as one of the most significant cryptocurrency thefts to date.

Ukrainian military bodies have been targeted in a phishing strategy that leverages drone manuals to deliver a commonly-used, Go-based, open-source post-exploitation toolkit known as Merlin. Phishing documents posing as drone service manuals have emerged, reflecting the crucial role that drones play in the Ukrainian military. Cybersecurity firm Securonix tracks this campaign under STARK#VORTEX, and their research reveals that the attack begins with a Microsoft Compiled HTML Help (CHM) file. When opened, it executes malicious JavaScript coded into one of the HTML pages, leading to a contact with a remote server to fetch an obfuscated binary. The obfuscated binary is then decoded to reveal the Merlin Agent. Once active, the software connects to a command-and-control (C2) server for post-exploitation actions, enabling the attacker to control the host device. This represents the first time that Merlin has been used to target Ukrainian government bodies. The Ukraine Computer Emergency Response Team (CERT-UA) has previously reported similar attack chains utilizing CHM files as decoys to infect computers with open-source tools. CERT-UA attribute these attacks to a threat actor it tracks as UAC-0154. The malicious activity comes after CERT-UA detected an unsuccessful cyber attack against a key energy infrastructure facility in Ukraine, attributing the attack to APT28, a Russian state-sponsored group.