Daily Brief

Researchers revealed tactical and targeting similarities between the Sandman APT group and a China-based threat cluster using the KEYPLUG backdoor. SentinelOne, PwC, and Microsoft Threat Intelligence have reported overlaps in malware used by both groups within the same victim networks. The overlapping infrastructure and malware suggest shared development practices, indicating coordination between Sandman and the Chinese threat actors tracked as Storm-0866 and Red Dev 40. KEYPLUG backdoor connections have been made to the notorious APT41 group and RedGolf, both associated with Chinese state-sponsored cyber activities. Commonalities include the use of Lua programming language and the QUIC and WebSocket protocols for command and control (C2) communications between the malware and their operators. This linkage emphasizes the complex nature of the Chinese cyber threat landscape, with nation-state aligned actors often interacting or sharing resources with cybercrime groups.

Multi-cloud environments present complex security challenges and potential blind spots due to their unique and continuously evolving nature. A generic, one-size-fits-all approach to cloud security is ineffective in these diverse and scalable hybrid cloud deployments. Minor security issues in cloud environments can escalate rapidly into significant threats given the built-in scalability of cloud services. Artificial Intelligence (AI) is proposed as a means to comprehend and adapt to specific cloud environments, enhancing the ability to protect against cyber threats. An upcoming webinar, "Securing Your Cloud Starts by Understanding It," aims to address how to detect and respond to security incidents in cloud infrastructures. The webinar, hosted by The Register's Tim Phillips and featuring Nabil Zoldjalali from Darktrace, will discuss techniques for real-time understanding of cloud activities and the implementation of autonomous threat response strategies. Interested participants are encouraged to sign up for the webinar scheduled for 18 December to gain insights into securing cloud environments.

North Korea-linked Lazarus Group has exploited Log4j vulnerabilities to deploy remote access trojans (RATs) in a campaign dubbed Operation Blacksmith. Cisco Talos identified the use of three new malware families: NineRAT, DLRAT, and BottomLoader targeting manufacturing, agriculture, and physical security sectors. NineRAT, which utilizes Telegram for command-and-control communications, allows attackers to perform a range of actions from data gathering to system manipulation. The exploitation of Log4Shell remains a potential threat due to the significant number of applications using vulnerable versions of the Log4j library. Lazarus Group has introduced a custom proxy tool, HazyLoad, and the multipurpose DLRAT malware to establish persistent access within compromised systems. The US sanctioned another North Korean group, Kimsuky, for intelligence gathering operations, illustrating the persistent threat from state-sponsored cyber activities.

The role of a vCISO is crucial for organizations that cannot afford a full-time in-house CISO. A vCISO helps establish and develop a company's cybersecurity infrastructure, offering both strategic and actionable services. The initial 100 days are critical for a vCISO to lay the foundation for long-term cybersecurity success and to establish trust within the organization. A new playbook, created by industry leaders Cynomi and PowerPSA, provides a structured 100-day action plan for vCISOs. The playbook is born out of extensive experience working with numerous vCISOs and aims to be a practical guide for new appointments or enhancing service to current clients. Following the steps outlined in the playbook can help vCISOs become strategic decision-makers and protect their organizations effectively.

23andMe acknowledged a data breach where 5.5 million "DNA relatives" profiles were illicitly accessed, compromising names, ancestry information, birth years, and family trees. The breach resulted from credential stuffing attacks, exploiting the common issue of password reuse and lack of multifactor authentication. In response to the breach, 23andMe has updated its terms of service, aiming to limit legal exposure and instituting a 60-day dispute resolution period before initiating arbitration or court proceedings. Customers must formally decline changes to the new terms of service via email within 30 days of notification to opt-out, or they automatically accept the new terms. A 'well-known Bay Area tech' company suffered a theft of hundreds of laptops, but whether the data was compromised or the devices were stolen for resale is uncertain. Henry Schein, a healthcare products and services firm, suffered an attack by the AlphaV/BlackCat ransomware group, with sensitive data from over 29,000 employees stolen; further system disruptions occurred after failed negotiations with the attackers. Previous security lapses at Henry Schein highlight ongoing concerns about the firm's data protection measures, following a notable settlement with the FTC in 2016 over misleading encryption claims.

The upcoming webinar titled "Think Like a Hacker, Defend Like a Pro" emphasizes the significance of social engineering in cyber attacks. Social engineering is highlighted as a key tactic because it exploits human psychology, making it a potent tool for attackers. The webinar promises to offer a deep dive into the psychological underpinnings of social engineering strategies used by cybercriminals. Attendees are expected to gain valuable knowledge that will help them understand the mindset of cyber attackers. The opportunity is touted as a unique chance to learn from a leading cybersecurity expert. The event is free to attend, making it accessible for professionals looking to bolster their cyber defense skills.

VictoriaMetrics, founded in Kyiv, Ukraine, in 2018, has opted for organic growth and has not accepted external investment, unlike many startups in the field. The company develops an open-source time series database monitoring tool that allows customers to track system health and spot issues early. While the open source product remains under an Apache 2 license, VictoriaMetrics offers a closed-source enterprise version with additional features such as improved alerts, machine learning for anomaly detection, and Kafka integration. Co-founder Roman Khavronenko emphasizes their commitment to open-source principles and community feedback but also acknowledges the need to be selective in implementing feature requests to maintain utility for the wider community. VictoriaMetrics recognizes the potential of AI and machine learning to handle the vast amounts of data in monitoring services, especially in pattern recognition and data analysis that would be unmanageable for humans. The company is offering a 60-day free trial for its enterprise product, demonstrating confidence in the value it adds over the open-source version.

Cybersecurity researchers have uncovered 18 Android loan apps engaging in fraudulent activities, collectively downloaded over 12 million times. The apps, known as SpyLoan, specifically targeted users in Southeast Asia, Africa, and Latin America, offering deceptive high-interest-rate loans and harvesting personal and financial information for blackmail. Google has removed the harmful apps from the Play Store, which were initially spread through SMS, social media, and alternative downloading platforms like scam websites and third-party app stores. Victims were coerced into repayment through threats of releasing their private photos and videos on social media. The malicious apps used misleading privacy policies and required extensive permissions, including access to media files, camera, contacts, call logs, and SMS messages, under the guise of legitimacy. Experts advise users to download apps only from official sources, verify the authenticity, and scrutinize reviews and permissions to mitigate the risks of such spyware. The incident is part of a larger trend of malicious loan apps uncovered by security firms and serves as a stark warning about the dangers of online financial services. Separately, the resurgence of an enhanced Android banking trojan named TrickMo, capable of advanced theft and obfuscation techniques, has been reported.

A new process injection methodology, PoolParty, evades numerous endpoint detection and response (EDR) systems, raising security concerns for Windows environments. Discovered by SafeBreach researcher Alon Leviev, PoolParty consists of eight advanced techniques that outperform previous methods by operating across any process without restrictions. Initially revealed at Black Hat Europe 2023, these techniques exploit the Windows user-mode thread pool to run arbitrary code stealthily in any target process. PoolParty manipulates Windows worker factories that manage thread pool worker threads, using them to execute malicious shellcode. SafeBreach has demonstrated a 100% evasion success rate against well-known EDR vendors such as CrowdStrike, Cybereason, Microsoft, Palo Alto Networks, and SentinelOne. The disclosure comes after a similar process injection technique, Mockingjay, highlighting an ongoing challenge for security tools to detect and prevent such sophisticated threats. Experts warn that security practitioners must remain vigilant and proactive to defend against these evolving and innovative techniques employed by advanced threat actors.

Over 38% of applications employing Apache Log4j are running outdated versions susceptible to significant security vulnerabilities. Notably, Log4Shell—a severe unauthenticated remote code execution flaw—remains a threat due to the continued use of vulnerable Log4j versions. Despite extensive outreach efforts to patch the critical vulnerability identified in December 2021, numerous organizations persist in using compromised software. Veracode's report reveals 2.8% of applications use Log4j versions directly vulnerable to Log4Shell, with additional apps using other insecure versions. Developers often neglect to update third-party libraries, fearing functionality issues, despite most open-source library updates being minor and safe. On average, it takes projects over two months to address high-severity flaws, with understaffing and lack of information exacerbating the delay. Security experts advocate for an urgent and thorough upgrade strategy for open-source library versions to mitigate the potential risks.

A novel attack method, named AutoSpill, has been developed to steal credentials from Android password managers during the autofill process. The vulnerability can be exploited without JavaScript injection, but if JavaScript injections are enabled, the risk is even higher. Researchers from IIIT Hyderabad have shown that several popular password managers, including 1Password, LastPass, and others, are susceptible to AutoSpill attacks using Android’s autofill framework. The weakness lies in Android's lack of clear guidelines for secure handling of autofilled data, potentially allowing rogue apps to capture auto-filled credentials. Although Google Smart Lock and DashLane use different technical approaches and are not as easily compromised, they are still vulnerable when JavaScript injection is utilized. The research team has reported the issue to affected software vendors and Android's security team, and while the reports are acknowledged, no comprehensive plans for fixing the vulnerability have been publicly detailed yet. Vendors such as 1Password and LastPass have commented on the issue, detailing their existing mitigations and planned updates to enhance security further.

A new side-channel vulnerability named SLAM, affecting Intel, AMD, and Arm CPUs, has been uncovered by researchers. SLAM leverages a CPU feature intended for security, ironically increasing the risk of Spectre attacks and enabling kernel data leaks. The vulnerability could allow unauthorized access to sensitive information, such as root password hashes from kernel memory. Implementations of Linear Address Masking and analogous features in CPUs inadvertently expanded the Spectre attack surface. This novel exploit creates a covert channel through non-canonical address translation, compromising future CPU models. Arm and AMD point to existing mitigations for Spectre as defenses against SLAM, while Intel is working on software guidance for future processors. In response to the vulnerability, Linux maintainers have taken action to disable the implicated CPU feature by default. The disclosure of SLAM follows another mitigation approach called Quarantine, aiming to isolate security domains and prevent covert channel attacks via CPU cache.

An unidentified pro-Russia group has been using Cameo, a service where celebrities create personalized videos, to stage a disinformation campaign against Ukrainian President Volodymyr Zelensky. Hollywood celebrities, including Elijah Wood and Mike Tyson, have been tricked into making videos that were later edited to falsely associate Zelensky with substance addiction issues. The campaign, which started in July, misrepresents these videos as if they were posted by the celebrities themselves on their personal Instagram accounts, using special editing techniques to include Ukrainian flags and tags. The operation not only uses social media for spreading these videos but also involves Russian state media to enhance the campaign's credibility. Microsoft has observed an upsurge in digital propaganda tactics like these videos over the summer of 2023, including spoofed news reports from reputable media outlets. Previous reports have identified Russian-managed bot farms within Ukraine's borders that help proliferate these false narratives on a large scale. Russian and Ukrainian entities, as well as some western nations, have been engaging in digital warfare through influence operations, which are expected to increase as the conflict persists, especially in the context of attacks on critical infrastructure.

Researchers have discovered new anti-analysis techniques employed by GuLoader malware, complicating its examination. GuLoader, active since late 2019, deploys sophisticated obfuscation to deliver payloads while evading detection. Distributed primarily via phishing, this downloader hinders security with vectored exception handling to obfuscate execution flow. Check Point's recent findings indicate GuLoader's improved evasion features and that it's sold as undetectable by antiviruses. Similar updates and advancements in evasion methods are also noted in DarkGate, a malware sold on underground forums. Other RATs like Agent Tesla and AsyncRAT are using novel techniques, including steganography, to bypass security measures. An updated malware obfuscation engine, ScrubCrypt, is also reported to be in circulation, aiding the distribution of RedLine stealer malware.

Norton Healthcare was hit by a ransomware attack between May 7 and May 9, 2023, affecting personal data of patients, employees, and dependents. The breach exposed sensitive information such as Social Security numbers, dates of birth, health and insurance information, and possibly financial account details. Individuals affected by the breach will be provided with two years of free credit monitoring services. The healthcare system is cooperating with law enforcement and has engaged a forensic security firm to investigate and mitigate the cybersecurity incident. The attack was publicly claimed by the ransomware group BlackCat/ALPHV, which also leaked files containing personal information to substantiate the breach. The breach has not affected Norton Healthcare's medical record system or Norton MyChart, ensuring ongoing patient care and data integrity in these systems. Norton Healthcare represents a larger trend of ransomware assaults targeting U.S. healthcare providers, prompting government advisories on the threat to the sector.