Daily Brief

Ledger alerts users to avoid using web3 decentralized apps (dApps) due to a malicious supply chain attack on its 'Ledger dApp Connect Kit' library. The compromised library contained a JavaScript wallet drainer that siphoned $600,000 worth of cryptocurrency and NFTs from user wallets. Ledger has removed the infected version and released an updated, secure version of the Connect Kit. All projects which used the compromised package versions (1.1.5 1.1.7) must upgrade to the new version to ensure security. Users are advised to "Clear Sign" transactions and to be cautious of ongoing phishing attempts that exploit the situation. The breach occurred after a phishing attack on a former employee's NPMJS account enabled the attacker to publish malicious versions. While the hardware wallet and main software remain unaffected, there's an active investigation to assess the full impact of the attack. Ledger has reported the hacker's wallet addresses to authorities, with Tether freezing stolen assets, and plans to release a comprehensive report on the incident.

Cybersecurity researchers have discovered 116 malicious Python packages on the PyPI repository aimed at Windows and Linux systems. These packages, downloaded over 10,000 times since May 2023, can install backdoors for remote command execution and data theft. Malware includes variants of W4SP Stealer and clipboard monitoring tools to hijack cryptocurrency transactions. Attackers used sophisticated methods to embed malicious code, such as hiding PowerShell in setup files or obfuscating it in initialization files. The incidents highlight the increasing issue of compromised open-source packages used for supply chain attacks. Researchers from ESET stress the need for Python developers to scrutinize code for suspicious components before use. This advisory follows reports of npm packages targeting a financial institution, demonstrating ongoing risks in the software supply chain.

Active Directory (AD) is critical for identity management in organizations and is a prime target for cyberattacks due to the valuable credentials it holds. Attackers often exploit password vulnerabilities as an initial entry point to gain unauthorized access or take over an AD environment. Specops Password Policy can enhance AD security by enforcing robust password policies to combat attacks like Kerberoasting and password spraying. Kerberoasting targets service accounts by cracking encrypted service tickets offline, and strong password policies can mitigate this risk. Password spraying uses common passwords across multiple accounts, with third-party solutions recommended to enforce complex passwords and block likely options. Default credentials present a high security risk due to scripting of new user accounts or users with multiple accounts opting for the same password. Privilege escalation by attackers can lead to full network control, thus robust password policies especially for privileged accounts are crucial. Specops offers tools like Password Auditor to scan for weak or compromised passwords, and Password Policy to block usage of known breached passwords, increasing overall AD security.

Russian Foreign Intelligence Service (SVR) exploiting critical vulnerability in JetBrains TeamCity CI/CD server, similar to 2020's SolarWinds attack. International cybersecurity agencies, including the FBI, CISA, NSA, SKW, CERT Polska, and the UK's NCSC, issued a joint advisory on the ongoing threat. The vulnerability, CVE-2023-42793, allows for code manipulation, certificate signing, and compromising software build processes; North Korea was also seen exploiting it. Evidence of SVR activity includes backdoor installation and lateral movement within networks, using legitimate services like Dropbox to hide command and control (C2) traffic. Sophisticated malware GraphicalProton, among others, used by SVR for stealth and long-term access, often employing additional layers of encryption and obfuscation. Advisory lists extensive mitigations and indicators of compromise; Russian cyber espionage aligned with a decade-long strategy of intelligence gathering across various sectors. JetBrains responded with a software update for TeamCity and security patches for older versions, stressing that most instances are now patched.

SentinelOne identifies that the Gaza Cyber Gang is using an evolved form of Pierogi malware, now termed Pierogi++, tailored for attacks on Palestinian entities. Pierogi++ is part of a suite of malware used by the group including BarbWire and Micropsia, reflecting a sophisticated and evolving threat landscape. Tactics by the threat actor include spear-phishing using decoy documents relevant to Palestinian interests, aiming to install backdoors for intelligence gathering. Notably, the latest Pierogi++ variant has abandoned identifiable Ukrainian strings from its code, suggesting refinement in malware development processes. Two separate campaigns, Big Bang and Operation Bearded Barbie, have been tactically linked, demonstrating the collaborative and streamlined efforts within the Gaza Cyber Gang. The collective, active since at least 2012, appears to be undergoing consolidation, likely including an internal malware development hub and standardized supply from vendors.

Iranian state-sponsored group OilRig introduced three new downloader malware named ODAgent, OilCheck, and OilBooster in attacks on Israeli organizations. Slovak cybersecurity firm ESET identified these downloaders that utilize legitimate cloud service APIs for stealthy command-and-control operations. The updated SampleCheck5000 downloader also plays a role in the campaigns, using cloud services to communicate and exfiltrate data. Victims include entities from healthcare, manufacturing, and local government sectors, all of which had faced previous attacks by OilRig. The initial method of compromise is unknown, and it is unclear if OilRig successfully maintained network access to deploy these downloaders. OilRig, active since 2014, has been employing an evolving arsenal of malware to target Middle Eastern entities, with recent additions like MrPerfectionManager and PowerExchange. The new downloaders exploit cloud APIs such as Microsoft OneDrive and Office Exchange Web Services to receive commands and manage exfiltrated data. The malware strategically uses victim-specific folders and shared accounts for communication with OilRig operators, indicating a sophisticated approach to maintaining persistence and evading detection.

Network penetration testing, also known as pentesting or ethical hacking, plays a vital role in safeguarding businesses by finding and addressing security weaknesses. The article explains the concept of pentesting, clarifies common misconceptions, and illustrates its necessity for modern cybersecurity strategies. Regular penetration testing is essential, not a one-time activity, due to the ongoing evolution of cyber threats and changes in IT infrastructure. Both small and large businesses benefit from penetration testing; it is not exclusively for large corporations as small businesses are often targeted by cyberattacks. Automated network penetration testing, as offered by Vonahi Security's vPenTest, presents a scalable, cost-effective, and reliable alternative to manual testing. With automation, organizations can conduct penetration tests more frequently and with minimal disruption, enabling real-time monitoring of their security posture. Vonahi Security, as a provider of automated offensive cybersecurity consulting services, introduces vPenTest to replicate manual pentesting while offering the advantage of continuous risk evaluation.

Cybercriminals are exploiting OAuth, an open standard for access delegation, to conduct business email compromise (BEC), phishing, spamming, and illicit cryptocurrency mining. Microsoft's threat intelligence team highlighted a group known as Storm-1283, which created OAuth applications using compromised accounts, leading to unauthorized deployments of virtual machines for cryptomining and significant Azure compute fees. Storm-1283 gained access through a compromised account that had ownership privileges on Azure, allowing them to set up Azure infrastructure for crypto mining. Another group, Storm-1286, leveraged OAuth applications to orchestrate a massive spam campaign, taking advantage of accounts without multi-factor authentication (MFA). The absence of strong authentication like MFA allowed for the creation of OAuth applications with permissions to send emails, control mailboxes, and read user profiles. Microsoft has observed phishing campaigns using malicious URLs that act as a proxy, intercepting tokens from user session cookies for further malicious activities, including BEC reconnaissance. Microsoft emphasizes the importance of enabling MFA and conditional access policies to prevent such abuses and has published incident response playbooks to help security teams respond to threats involving OAuth.

Russian SVR-affiliated APT29, known for the SolarWinds attack, actively exploits unpatched JetBrains TeamCity servers since September 2023. The exploitation targets a critical vulnerability, CVE-2023-42793, enabling remote code execution and is used by multiple threat actors including North Korean groups. Attacks involve initial access, privilege escalation, lateral movement, deployment of backdoors like GraphicalProton, and data exfiltration while avoiding detection. The campaign, named Diplomatic Orbiter, focuses on diplomatic entities globally and uses tactics like credential theft, Active Directory enumeration, and antivirus evasion. Microsoft disrupted a widespread campaign after identifying approximately 100 compromised devices across various industries in different regions. The article also discusses Russian cyberattacks on Ukraine's agricultural sector and influence operations targeting international Ukraine supporters. JetBrains has released patches for the vulnerability and encourages less than 2% of unpatched TeamCity instances to update immediately; the cloud version was not affected.

The SANS Holiday Hack Challenge, a festive and educational cybersecurity event, has returned for the 2023 holiday season. Aimed at both aspiring and current cybersecurity professionals, the challenge offers hands-on experience in a variety of security tasks. The holiday period is often targeted by cyber criminals through phishing scams, DDoS attacks, and MFA fatigue exploitation. Participants in the Holiday Hack Challenge can learn to combat common holiday cyber threats while enjoying the season's festive spirit. The 2023 competition, 'Holiday Hack Challenge 2023: A Holiday Odyssey,' includes AI cybersecurity, defense, offense, web and cloud security, threat hunting, phishing analysis, and more. The challenge is inclusive, catering to all levels of expertise, and prizes are available for standout entries. Ed Skoudis, Director of the Holiday Hack Challenge, provides a preview and tips for success in an introductory YouTube video. Participants can start playing immediately by visiting the SANS event website, with added entertainment from cyber security-themed holiday music.

A new hacker group named GambleForce has been targeting Asia-Pacific firms with SQL injection attacks since September 2023. The threat actor targets the gambling, government, retail, and travel sectors, successfully breaching six out of 24 organizations. GambleForce employs basic but effective tactics, utilizing tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell and a Chinese version of the legitimate Cobalt Strike framework. They exploit vulnerable CMS and public-facing applications, including a known flaw in Joomla CMS, to steal sensitive user data. The origins of GambleForce are unclear, but the group has been using Chinese commands within their tools. Group-IB, a cybersecurity firm, has taken down GambleForce's command-and-control server and alerted affected victims. The article emphasizes the importance of secure coding practices and the ongoing risks of SQL injection attacks due to developers overlooking input security and data validation.

Microsoft received a court order to dismantle Storm-1152, responsible for creating and selling 750 million fake Microsoft accounts and tools. Storm-1152's cybercrime-as-a-service model enabled illegal activities, including phishing, ransomware, and DDoS attacks, by evading identity verification systems. Known threat groups like Octo Tempest used these fraudulent accounts for their ransomware and extortion operations. With collaboration from Arkose Labs, Microsoft identified three Vietnamese individuals responsible for the cybercrime network's infrastructure. The perpetrators operated a sophisticated service, offering custom pricing, instructional videos, customer support, and cryptocurrency cash-outs for their fraudulent products. This action taken by Microsoft is part of a crackdown on the use of fraudulent accounts that aid in various cybercrimes and attempts to fortify cybersecurity across platforms.

Microsoft's Digital Crimes Unit has seized domains from a Vietnam-based group, Storm-1152, which sold fraudulent Microsoft Outlook accounts. The cybercriminals were behind the creation of over 750 million bogus accounts, capitalizing on them by selling to other cyber actors. Storm-1152 also provided cybercrime-as-a-service tools, including an automatic CAPTCHA-solving service to facilitate the mass creation of fraudulent Microsoft email accounts. The fraudulent accounts have been used by various cybercrime gangs to infiltrate organizations and deploy ransomware, leading to damages in the hundreds of millions. Microsoft used a court order to shut down U.S.-based websites operated by Storm-1152 and sued individuals involved in the operations for their alleged roles. Microsoft aims to dismantle the broader cybercriminal infrastructure, attacking the tools and services that enable cyberattacks.

Volt Typhoon (Bronze Silhouette), a Chinese state-sponsored hacking collective, has been correlated with the malignant 'KV-botnet', infiltrating SOHO routers and VPN devices since 2022 to compromise high-value targets. The joint examination by Microsoft and the US government points to an intentional development of infrastructure that could potentially undermine US-Asia communications during future crises. The Black Lotus Labs investigation uncovered the botnet's attacks on specific network devices including Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras, exploiting network edge vulnerabilities. The botnet has been utilized for a variety of incursions against telecoms, internet providers, US military entities, and others, with an observable surge in activity from August 2023 and a notable peak in mid-November 2023. KV-botnet operates distinctively based on the target value; the 'KV' cluster, presumably manual, focuses on high-value targets, whereas the 'JDY' uses broader, automated scans. The attack leverages multiple file types for the infection chain and the malware avoids detection by mimicking legitimate process names, predominantly residing in memory, complicating detection but diminishing persistence on hijacked devices. Lumen's Black Lotus Labs report correlates techniques, target preferences, and working times of KV-botnet with Volt Typhoon, further judging the reduction in botnet activity post-public disclosures as suspicious, hinting at the Chinese hackers' caution. Lumen has released indicators of compromise on GitHub to assist in the detection and prevention of KV-botnet infections, enhancing network security for threatened organizations.

A renewed BazarCall phishing campaign misuses Google Forms to send fake payment receipts. The emails imitate legitimate subscriptions and notification services to deceive users. Victims receive an email prompting them to cancel a non-existent expensive subscription. The typical approach instructs users to call a phone number, connecting them to fake customer support. Cybercriminals guide victims to unwittingly install BazarLoader malware on their systems. Google Forms' legitimacy allows attackers to bypass security tools, ensuring email delivery. The emails create urgency by requesting recipients to call within 24 hours to dispute charges. The BazarCall method has a history of facilitating initial access for subsequent ransomware attacks.