Daily Brief

Ledger's software supply chain was breached due to a phishing attack on a former employee, leading to a significant theft of virtual assets. Over $600,000 was stolen after threat actors gained access to Ledger's npm account and propagated malicious code in the "@ledgerhq/connect-kit" module. Attackers uploaded three tainted versions of the module which included a crypto drainer malware that rerouted funds to hacker-controlled wallets. The tampered modules were used to display fake prompts to users, deceiving them into connecting their wallets and subsequently draining funds. Although the malicious versions were live for approximately five hours, the actual window of fund drainage was less than two hours. Ledger has since removed the compromised versions, released a mitigated update, and reported the incident, leading to the freezing of stolen funds by stablecoin issuer Tether. This incident reflects the increasing use of software registries for malware distribution via supply chain attacks, particularly targeting crypto assets for swift financial gains.

Web applications are increasingly targeted by attackers due to the wealth of sensitive data they process and store. SQL Injections and Broken Access Control (BAC) are among the most prevalent vulnerabilities in web applications. SQL Injections can manipulate a backend database to unlawfully access data by injecting malicious SQL code. BAC has become the top web application security risk, with incidents including both vertical and horizontal privilege escalations. A practical approach to preventing SQL injections is input validation, which involves treating user input as data values instead of executable code. While Web Application Firewalls (WAFs) can improve security, they are not foolproof and can be circumvented by zero-day exploits. Secure coding practices, proper sanitization, and the principle of least privilege are fundamental to protecting web applications alongside WAFs. Incident response and recovery plans are critical for mitigating attacks, with expert consultation and reporting mechanisms in place for immediate support.

Multiple security vulnerabilities have been identified in the pfSense firewall software, which could allow attackers to execute arbitrary commands. The issues include two reflected cross-site scripting (XSS) bugs and one command injection flaw that can be exploited by deceiving an authenticated user. An attacker can inject malicious scripts that are executed on the admin user's web browser, enabling unauthorized actions within the firewall with root-level access. Successful exploitation could lead to attackers spying on internal traffic or attacking services on the local network. The vulnerabilities primarily affect pfSense CE 2.7.0 and below, as well as pfSense Plus 23.05.1 and below. Patches have been released with pfSense CE 2.7.1 and pfSense Plus 23.09 following a responsible disclosure on July 3, 2023. The disclosure comes after Sonar's recent identification of a remote code execution flaw in Microsoft Visual Studio Code, which was patched in the September 2023 updates.

The Information Commissioner's Office (ICO) has reminded businesses to properly use email fields to prevent personal data breaches. Staff must be trained to correctly use the "CC" (carbon copy) and "BCC" (blind carbon copy) features, with various incidents reported due to misuse. Case studies showed personal email addresses openly shared due to incorrect usage of "To" or "CC" instead of "BCC," revealing information about individuals. An NHS Trust and a charity were highlighted as examples where such errors resulted in the identification of trust patients and disclosed email addresses of HIV advisory board members. The ICO underscores the importance of understanding the distinction between "CC" and "BCC," implementing warning systems for potential misuse, and considering delays before sending emails to allow error correction. Additional advice includes turning off the autocomplete function to avoid unintended recipients and evaluating whether email is the best method for sharing information, including when using third-party services. Organizations are encouraged to take a risk-based approach to email communications, ensuring they adhere to privacy requirements and best practices.

Google will begin testing a new "Tracking Protection" feature in Chrome to block third-party cookies for 1% of users from January 4, 2024. The feature aims to restrict cross-site tracking by disabling non-essential cookies by default, enhancing user privacy without compromising access to free content. Participants for the initial test are randomly selected and will be notified upon using Chrome on desktop or Android devices. Major browsers like Safari and Firefox have already implemented similar restrictions, but Google's approach seeks to balance privacy with continued support for ad-funded online services. Third-party cookies will be phased out for all Chrome users starting in Q3 2024, following initial testing and feedback. Google's Privacy Sandbox initiative will use data aggregation, limitations, and obfuscation instead of cross-site user identifiers to maintain privacy while still enabling targeted advertising and ad performance measurement. Google commits to evolving Chrome into a browser that's more private and accessible, underscoring the company's dedication to user privacy advancements.

NKAbuse, a new malware exploiting the NKN blockchain network, has been identified to perform DDoS attacks and act as a backdoor implant. The malware communicates using the NKN protocol with over 62,000 nodes to share commands and data exchange between compromised systems. Primarily targeting Linux systems including IoT devices, it leverages a six-year-old vulnerability in Apache Struts to infiltrate systems. NKAbuse is coded in Go and supports various CPU architectures without a self-propagation mechanism, relying on other methods for initial delivery. Persistence is achieved through cron jobs, and elevated privileges are required for its functions that include system information reporting, screenshot capture, file management, and command execution. The use of blockchain technology affords the botnet reliability and anonymity, signaling the potential for growth without a discernible command center. NKN co-founder expresses surprise and intent to understand and mitigate the misuse of their technology to ensure internet safety and neutrality.

Kraft Heinz is investigating claims of a cyberattack on a decommissioned marketing website after being listed on Snatch extortion group's data leak site. Snatch announced they breached Kraft Heinz, but no evidence or stolen data has been provided to substantiate these claims. As one of the largest food and beverage companies, Kraft Heinz operates globally with well-known brands such as Oscar Mayer and Philadelphia. Despite the extortion group's assertions, Kraft Heinz reports that their internal systems are functioning normally with no signs of a broader cyberattack. Snatch, historically known for ransomware activities, claims to have shifted focus from encrypting victims' files to solely data exfiltration and extortion. The United States Cybersecurity and Infrastructure Security Agency (CISA) identifies data on Snatch's website originating from both their operations and other ransomware groups, which contradicts Snatch Team's claim of not engaging in ransomware attacks.

NKAbuse, a novel multi-platform malware, leverages NKN (New Kind of Network) blockchain technology for stealthy communication, posing a new kind of threat. The malware primarily targets Linux devices in Mexico, Colombia, and Vietnam, and it has been seen exploiting an older Apache Struts vulnerability to infiltrate systems. NKAbuse can compromise various architectures including IoT devices, as well as MIPS, ARM, and x86 systems. It conducts hard-to-trace DDoS attacks, using the NKN protocol, which isn’t widely monitored by security tools, effectively hiding its source. The malware serves as a remote access trojan (RAT), allowing attackers to execute commands, exfiltrate data, and capture screenshots. Kaspersky's analysis reveals NKAbuse to be a sophisticated and versatile tool capable of a range of attack methodologies, complicating defense efforts. The use of blockchain to manage C2 (command and control) communications provides the attackers with resilience and obfuscation, which are not common in traditional DDoS botnets.

Microsoft took action against Storm-1152, a cybercrime group known for selling fraudulent Microsoft accounts. The operation involved seizing US-based websites that offered illegal services such as fake email accounts and CAPTCHA-solving tokens. Storm-1152 has been associated with significant financial gains from their activities, causing substantial losses for Microsoft customers. Court-ordered action was initiated after the group's activities were deemed harmful and were using Microsoft trademarks without authorization. The three individuals leading Storm-1152, all based in Vietnam, were identified in the legal proceedings. Their services were linked to notable attacks by Scattered Spider, including massive ransomware incursions against Las Vegas casinos. The action by Microsoft is part of ongoing efforts to fight cybercrime and mitigate its impacts on companies and the general public.

Ubiquiti users reported being able to access and receive notifications from other users' devices via the UniFi cloud platform. The issue was first spotted when a user received a notification from a camera they did not own, leading to concerns about privacy and security. Other users experienced similar issues, gaining complete access to devices and control panels that were not theirs, with the situation reverting to normal after refreshing the web page. Ubiquiti responded to inquiries, stating they are reviewing the situation and will issue a statement after thorough investigation. The company has since attributed the problem to a misconfiguration during a cloud infrastructure upgrade, which led to two groups of accounts having cross-access for a limited time. A total of 1,216 Ubiquiti accounts were affected, with the company identifying that only twelve accounts saw improper access, promising to notify impacted users via email.

Ten new Android banking trojans emerged in 2023, targeting 985 financial apps in 61 countries. Banking trojans aim to steal online bank account credentials, bypass two-factor authentication, and commit fraud. The malware often appears as utilities, games, or productivity apps and has been found to target personal data and social media. Among the updated existing families of malware are Teabot, Exobot, Mysterybot, Medusa, Cabossous, Anubis, and Coper. The United States is the most targeted country, with 109 banking apps affected, followed by the UK with 48, and Italy with 44. Mobile security experts recommend only downloading apps from official stores, scrutinizing app permissions, and being cautious about external download requests.

Microsoft's Digital Crimes Unit has dismantled a Vietnamese cybercrime group, identified as Storm-1152, responsible for creating over 750 million fraudulent accounts. These accounts were sold to other cybercriminals who used them to commit ransomware attacks, data theft, and other cybercrimes globally. Storm-1152 offered services such as fraudulent Microsoft Outlook accounts and an automatic CAPTCHA-solving service, enabling widespread criminal activities online. Major cybercrime groups, including Storm-0252, Storm-0455, and Octo Tempest, utilized these fraudulent accounts in various attacks, causing damage estimated in the hundreds of millions of dollars. Microsoft seized the group’s U.S. infrastructure and took down key websites after obtaining a legal order, while also filing a lawsuit against individual members of the gang. The legal action is part of Microsoft's broader strategy to disrupt the cybercriminal ecosystem by targeting the tools and services that facilitate cyberattacks.

Discord has introduced support for security key multi-factor authentication (MFA) for enhanced user account protection. This security measure is now available to all Discord users, increasing defense against phishing and credential theft. Users can replace the old MFA options with WebAuthn, which includes biometrics and hardware security keys. The implementation of WebAuthn involved using native languages for mobile app development and creating a custom module for macOS. Although WebAuthn offers significant security advantages, legacy MFA options will remain available for users. Discord plans to expand its WebAuthn capabilities to enable password-less logins in the future.

The Idaho National Laboratory (INL), a U.S. Department of Energy research facility, suffered a data breach involving a cloud-based HR system. Personal information of over 45,000 current and former employees, dependents, and spouses was exfiltrated by attackers. Sensitive personal identification information (PII) compromised includes names, social security numbers, salary data, and banking details. The breach was limited to an off-site Oracle HCM test environment and did not impact the INL's internal networks or databases. The cybersecurity incident was confirmed on November 20 and did not affect employees hired after June 1, 2023. SiegedSec, a hacking group, claimed responsibility for the breach and leaked the data without negotiating or demanding a ransom. Cybersecurity authorities, including CISA and the FBI, are conducting a joint investigation to assess the full impact of the breach. Evidence of the breach was demonstrated via social media postings by the attackers, including a custom announcement made using INL's compromised system.

Network penetration testing, also known as "pentesting" or "ethical hacking," is a methodology where security experts simulate cyberattacks to identify vulnerabilities. There are misconceptions surrounding pentesting, such as it being a one-time activity, only for large corporations, or disruptive to business operations. Both internal and external types of pentesting serve as complementary defense mechanisms targeting different parts of an organization's network. Automated network penetration testing, like the vPenTest from Vonahi Security, offers a scalable and cost-effective alternative to manual testing. Automated testing allows for more frequent assessments of an organization's network, leading to more consistent identification of vulnerabilities with less human error. Embracing automated penetration testing tools can help businesses of all sizes improve their cybersecurity posture and comply with various standards. Vonahi Security provides a SaaS platform, vPenTest, that replicates manual testing and enables continuous, real-time evaluations of cybersecurity risks.