Daily Brief

A critical vulnerability in a widely-used open-source library poses a significant threat to multiple NFT collections, including those on Coinbase. The flawed library affects pre-built smart contracts, potentially compromising their security and integrity. Thirdweb, a Web3 development platform, identified the vulnerability on November 20 and issued a fix two days later without disclosing specific details to avoid alerting cybercriminals. Smart contract owners are urged to implement mitigation measures for all pre-built contracts created prior to November 22, 2023, such as locking the contracts and migrating them to a new, secure version. Thirdweb has contacted the library maintainers and other protocols, offered detailed findings and mitigations, and provided tools and tutorials to assist users in securing their contracts. Coinbase NFT and Mocaverse, among others, have assured their users that funds are safe and necessary steps are being taken to address the vulnerability. Despite these measures, the community has expressed frustration over the lack of transparency and the absence of a CVE identifier, leading to concerns about the extent and management of the risk.

HTC Global Services has confirmed a cyberattack following the leak of sensitive data by the ALPHV ransomware group. ALPHV, also known as BlackCat, is believed to be a reinvention of the DarkSide and BlackMatter ransomware groups. Stolen data displayed on the ransomware gang's site includes passports, emails, and confidential documents. Cybersecurity expert suggests the attack exploited the Citrix Bleed vulnerability in HTC's CareTech unit. ALPHV has a history of targeting large enterprises and adapting tactics, showing an increase in attacks with English-speaking affiliates. The ransomware group's recent victims include organizations in critical infrastructure sectors, raising potential for heightened law enforcement response. HTC is engaging cybersecurity professionals to resolve the incident and assure clients about the integrity of their data.

A suite of 21 vulnerabilities labeled "Sierra:21" has been identified in Sierra Wireless AirLink routers, which are essential for operational technology (OT) and the Internet of Things (IoT) in critical infrastructure sectors. These security flaws allow for remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks, with potential for severe impact on essential services. Forescout researchers found that some vulnerabilities can be exploited without authentication, particularly dangerous as they offer a pathway for attackers to gain control of routers without significant barriers. Over 86,000 internet-connected AirLink routers were found online in crucial industries, with a large majority based in the United States. Less than 10% of these routers had been patched against previously disclosed vulnerabilities, heightening their risk profile. To mitigate risks, administrators should upgrade to the latest version of the AirLink Embedded Operating System (ALEOS), and apply updates from OpenNDS. No fix will be available for TinyXML-related vulnerabilities as it is now abandonware. Forescout emphasizes the growing threat landscape targeting routing and network infrastructure, indicating the strategic importance of these devices for threat actors in establishing persistence, conducting espionage, and facilitating other criminal activities.

Redesigned SysJoker backdoor malware, now written in Rust, is evading detection across multiple operating systems. Initially discovered by Intezer, the malware targets Windows, Linux, and macOS with sophisticated in-memory payloads and evasion techniques. Check Point's research indicates a possible association between SysJoker and the Gaza Cybergang, involved in the 'Operation Electric Powder' targeting Israel. The updated SysJoker variant employs randomized sleep intervals and complex encryption, enhancing its stealth capabilities. The backdoor modifies system registries for persistence, uses a OneDrive URL for C2 communication, and could potentially download additional payloads. Although currently lacking command execution features, SysJoker continues to gather and send system information to its operators. Check Point's findings are not definitively conclusive but suggest parallels with previous cyber-attacks linked to Hamas-affiliated groups.

General Electric (GE) is looking into claims of a cyber attack and data theft, reportedly committed by a known threat actor. The hacker, using the moniker IntelBroker, advertised the sale of GE's development environment access and miscellaneous data for $500. After failing to sell the access, IntelBroker claimed to possess stolen GE data, including sensitive military information from GE Aviation. Screenshots purportedly showing the stolen GE data were posted by the threat actor as evidence of the breach. GE has acknowledged awareness of the claims and is actively investigating the matter to protect their systems' integrity. IntelBroker has previously been linked to high-profile cyberattacks, including a breach of the grocery service Weee! and the theft of personal information from D.C. Health Link. The D.C. Health Link breach eventually resulted in a congressional hearing to determine the cause, which was identified as a misconfigured server exposing data online.

General Electric (GE) is investigating reports of an unauthorized breach of its development environment and potential data theft. A threat actor known as IntelBroker claimed to have breached GE’s systems, offering to sell access and stolen information on a hacking forum. The hacker advertised access to GE’s development and software pipelines along with DARPA-related military data for $500, but found no buyers. IntelBroker provided screenshots as evidence, showing what appears to be a database from GE Aviation, including details on military projects. GE confirmed their awareness of the claims and is currently conducting an investigation to assess and mitigate any potential impact on their systems. The hacker, IntelBroker, has a history of high-profile cyberattacks, including a breach of the Weee! grocery service and the theft of sensitive data from DC Health Link. A previous IntelBroker breach targeting DC Health Link led to congressional hearings due to the exposure of personal information of DC staff and their families.

A fake browser update campaign, ClearFake, previously targeting Windows, has now expanded to macOS, delivering Atomic Stealer malware. Threat analysts report that compromised websites are prompting macOS users to download malicious DMG files disguised as Safari updates. Atomic malware aims to steal sensitive information, including browser-stored passwords, cookies, credit card details, and cryptocurrency wallet data. The cybersecurity community had identified Atomic malware earlier this year, but it remains undetected by approximately 50% of antivirus engines on VirusTotal. Users are reminded that legitimate Safari updates come only through macOS’s Software Update feature, warning against downloading updates from website prompts. The new tactic of using the blockchain to distribute malware illustrates the evolution and sophistication of cyber threats facing both individuals and organizations.

A previously undocumented web shell, HrServ.dll, has been utilized in a sophisticated attack against an Afghan government organization, hinting at APT (advanced persistent threat) involvement. Kaspersky researchers discovered that the web shell features complex capabilities, such as custom encoding and in-memory execution, pointing to a high level of attacker sophistication. Analysis of the malware uncovered versions dating back to early 2021, suggesting a long-term, stealthy operation against the targeted entity. The attack leverages PAExec tool for initial access, then employs a deceptive scheduled task and a Windows batch script to set up the web shell for remote server control and subsequent exploitation tasks. HrServ.dll appears designed to mask its traffic as benign by mimicking Google services, complicating the task of network traffic analysis for security teams. Malicious HTTP requests handled by the web shell can initiate various actions, from creating and reading files to executing encoded data in stealthy, memory-resident threads. The attackers have shown an effort to erase forensic evidence post-compromise, highlighting a level of intention to avoid detection and analysis by security professionals. The identity of the attackers remains unknown, though the malware's characteristics suggest potential financial motives combined with APT-like tactical execution.

ownCloud has disclosed three critical security flaws affecting its file-sharing software, potentially leading to sensitive data disclosure and unauthorized file modifications. The first flaw originates from a third-party library in the 'graphapi' app, which could reveal PHP environment configuration details, including sensitive credentials. ownCloud advises users to delete a specific file, disable the 'phpinfo' function, and change passwords and access keys to mitigate the first vulnerability. The second vulnerability allows file access, modification, or deletion without authentication if the user's username is known and they have no signing-key configured. A third security issue permits attackers to redirect callbacks to a domain they control, due to improper access control within the oauth2 app's validation code. As temporary measures, disabling the "Allow Subdomains" option and adding hardening to the validation code are recommended to protect against the third flaw. An unrelated remote code execution vulnerability in CrushFTP software was also reported and patched, with a PoC exploit released that could allow attackers to gain administrator access without authentication.

North Korean Lazarus hacking group is confirmed to have used a zero-day vulnerability for a supply-chain attack. MagicLine4NX software, developed by South Korean Dream Security, was exploited, primarily targeting South Korean institutions. Attack involved embedding malicious scripts into a media outlet's website, initiating a 'watering hole' attack against selected IP ranges. The attackers obtained unauthorized access through the MagicLine4NX vulnerability, allowing lateral movement within organizations. Malicious code enabled reconnaissance, data theft, and further payload execution by connecting to C2 servers. Lazarus's supply chain attack patterns persist, with similar incidents reported against VoIP software maker 3CX and CyberLink. Stolen funds from such cyber operations allegedly support North Korea's state objectives, including cyber activities against the U.S. and South Korea.

ownCloud, a widely-used open-source file sharing platform, has reported three critical security vulnerabilities, posing serious risks to its integrity and user data. The most severe flaw, CVE-2023-49103 with a CVSS score of 10, leads to the exposure of administrator passwords, mail server credentials, and other sensitive information in containerized environments. Users are urged to delete a specific file ('GetPhpInfo.php'), disable the 'phpinfo' function in Docker, and change all compromised secrets immediately. An authentication bypass flaw in the ownCloud core library allows unauthorized file access and modifications without authentication if the attacker knows the username and a signing-key is not in use. A subdomain validation bypass within the oauth2 library permits attackers to redirect callbacks to their own domains, which could facilitate phishing attacks. The ownCloud team has provided fixes and mitigations, including library updates, to address these critical issues. Administrators are encouraged to apply the security updates promptly to protect data from potential theft, unauthorized access, and phishing attacks.

The North Korean Lazarus hacking group exploited a zero-day vulnerability in the MagicLine4NX software, used widely in South Korea for secure logins. The zero-day vulnerability enabled the group to conduct a supply-chain attack against South Korean institutions. Attackers compromised a media outlet's website, embedding malicious scripts to perform 'watering hole' attacks, targeting specific IP ranges. After triggering the vulnerability, attackers gained control of the victim's computer and connected it to their command and control (C2) servers. The hackers deployed information-stealing code within the targeted organizations' servers, enabling reconnaissance and data exfiltration activities. These advanced persistent threat (APT) activities are part of North Korea's broader strategy, including cyber espionage and cryptocurrency theft to fund national priorities. Official advisories from NCSC, NIS, and CISA provide detailed analysis on the Lazarus group's tactics and the broader implications of their operations.

Cyberattack on CTS, a managed service provider (MSP) for UK law firms, causes significant service outage. The outage is affecting numerous law firms and disrupting property transactions. CTS is investigating the incident with help from a leading cyber forensics firm and working to restore services. The company is unable to provide a specific timeline for resolution and full restoration of affected systems. Ransomware attack suspected as between 80 and 200 law firms could be impacted based on client estimates. No evidence suggests that data integrity has been compromised; systems will remain offline until safety assurances are received. CTS offers services including cyber protection, attack detection, and employee security training. The National Cyber Security Centre (NCSC) had previously warned about the risks associated with using MSP services.

Security researcher discloses a critical code injection vulnerability in OpenCart (CVE-2023-47444) with a CVSS 3 score of 8.8. OpenCart's owner, Daniel Kerr, responds aggressively to the vulnerability report, dismissing it as a "non vulnerability." Researcher Mattia Brollo attempted to contact OpenCart through multiple official channels before resorting to a public GitHub issue. Despite initial resistance and offensive remarks, Kerr eventually merged a fix for the vulnerability into OpenCart's master branch. The incident recalls similar past issues with OpenCart's security practices, including weak password-hashing algorithms and encryption methods. OpenCart is a widely-used e-commerce platform, with competitors like WooCommerce and Shopify holding larger market shares. The history of security issue reports and OpenCart's responses suggest a pattern of dismissive behavior towards community feedback on security practices.

A new analysis has exposed a Telegram bot named Telekopye, utilized by cybercriminals to conduct large-scale phishing scams. The malicious Bot, called Telekopye, enables scammers to create fake websites, emails, and SMS messages. The group operating this scheme, dubbed Neanderthals, operates in a structured manner similar to a legitimate company, recruiting members and assigning roles. Neanderthals lure victims, termed Mammoths, into fraudulent transactions using sophisticated social engineering tactics. The scams involve posing as both buyers and sellers in online marketplaces, as well as conducting refund scams to double-charge victims. Cybersecurity firm Group-IB reported that the same operation, also known as Classiscam, has amassed $64.5 million since 2019. The Neanderthals conduct careful selection of potential victims and extensive market research to increase the success rate of the scams. The criminals employ techniques to remain anonymous such as using VPNs, proxies, and TOR, and have expanded their fraudulent activities to include real estate scams.