Daily Brief

Cybersecurity researchers have identified a Rust-powered version of SysJoker, a cross-platform backdoor, targeting Israel. The backdoor has been attributed to a Hamas-linked threat actor amid the conflict with Israel. SysJoker gathers system information and can remotely execute commands, download, and execute new malware. The updated version of SysJoker employs Rust language and uses Microsoft's OneDrive for dynamic command-and-control server URLs. Check Point's analysis indicates that the use of OneDrive enables attackers to swiftly change C2 addresses, complicating detection efforts. The evolution of SysJoker includes enhanced evasion techniques, such as random sleep intervals. Two previously undetected, more complex SysJoker samples were discovered for Windows systems, featuring multi-stage execution. Connections between the updated SysJoker backdoor and Operation Electric Powder were found, hinting at consistent threat actor involvement over several years.

Kubernetes configuration secrets from several Fortune 500 firms, including two top blockchain companies, were exposed in public repositories. Aqua Security identified 438 records on GitHub with potential access credentials to container image registries, 46% of which had valid credentials. Access provided by the credentials included both pulling and pushing rights, often exposing private container images. Researchers noted that nearly half of the uncovered manually set passwords were weak, highlighting the need for robust organizational password policies. Despite inadvertent exposure, all AWS and Google Container Registry credentials were temporary and expired, negating the risk of unauthorized access. GitHub Container Registry's mandatory two-factor authentication provided added security against potential breaches. Some exposed keys had minimal privileges or were encrypted, reducing risks; however, this incident underlines general concerns about vulnerabilities and misconfigurations as major security issues within container environments.

Fidelity National Financial (FNF), a Fortune 500 insurance company, was the target of a significant ransomware attack. FNF was compelled to shut down key systems following the cybersecurity incident, affecting title insurance and other services. The attack's specifics, including the extent of data compromise, are under ongoing investigation. Ransomware group ALPHV/BlackCat claimed responsibility for the breach and has suggested it holds undisclosed information. The probable attack vector may have been a recently patched critical vulnerability in Citrix Netscaler devices, known as "CitrixBleed." Despite the availability of patches, many organizations were still exposed to the CitrixBleed vulnerability a month after the fix was released. The cyber incident disrupted operations not only for FNF but also for the broader real estate market, delaying home purchases and closings.

An ongoing phishing campaign, utilizing Russian-language Microsoft Word documents, has been identified as the work of a North Korean threat actor known as Konni. Konni, thought to be associated with Kimsuky (APT43), deploys malware through these documents to collect sensitive data from infected Windows devices. Recent attacks have exploited the WinRAR vulnerability (CVE-2023-38831) and used obfuscated scripts to install a Remote Access Trojan (RAT) and data harvesting batch scripts. The threat actor focuses on espionage, consistently refining their techniques to avoid detection while aiming to exfiltrate data. Fortinet has detailed the latest attack method, which involves a macro-enabled Word document that unleashes a sequence leading to the deployment of a DLL payload with data gathering and exfiltration functions. The North Korean cyber espionage group Konni, as well as other groups such as Lazarus and ScarCruft, have heightened their focus on Russian targets, including trading firms and missile engineering companies. Russian cybersecurity entity Solar reported that Asian threat actors, predominantly from China and North Korea, are principally accountable for attacks on Russian infrastructure.

Zero2Automated offers a Black Friday to Cyber Monday 25% discount on malware analysis courses, including the 'Ultimate Malware Reverse Engineering Bundle'. Courses were created by renowned reverse engineers Vitali Kremez and Daniel Bunce, providing over 25 hours of content and a collaborative online community. The sale is available from November 23rd at 14:00 GMT to November 27th at 23:59 GMT, with the discount code BLACKFRIDAY. The course features lifetime access, over 1,000 peer/teacher interactions, and regular real-world malware challenges. The 'Ultimate Malware Reverse Engineering Bundle' includes three courses designed to take participants from beginner to advanced levels. Purchases include a 10% discount on IDA Pro Named License or IDA Home subscription, enhancing the toolkit for malware analysis. BleepingComputer endorses the quality of the course without receiving any commission, underscores the uniqueness and educational value of the content.

The UK and Republic of Korea (ROK) issued a joint advisory warning about North Korean cyberattacks on software supply chains. Attacks show increased sophistication, leveraging zero-day and N-day vulnerabilities, aiming at espionage and theft of intellectual property. Targets include government entities, the financial sector, and defense industries worldwide. Notable attacks include compromising the MagicLine4NX security software and exploiting a zero-day in the Windows version, while implementing a similar attack strategy on the 3CX desktop app for both Windows and macOS systems. The Lazarus group, associated with North Korea, has been identified as perpetrating these attacks, with motives aligned with North Korean state priorities. Microsoft also reported a supply chain attack on CyberLink's multimedia software, which targets systems not running specific EDR security solutions. Advisories recommend increased vigilance, application of security updates, enabling 2FA, and monitoring for anomalous network traffic to mitigate threats.

A new malware loader called WailingCrab is being delivered via emails with shipping-related themes. IBM X-Force researchers reveal WailingCrab consists of multiple components aimed at stealth and avoiding detection. The malware is attributed to the threat actor TA544, also known as Bamboo Spider or Zeus Panda, and is being used to deposit further malicious payloads. WailingCrab incorporates techniques such as utilizing legitimate hacked websites and platforms like Discord for command-and-control (C2) operations. Recent updates to the malware include utilizing MQTT, a lightweight messaging protocol, which is rare in the threat landscape for C2 communications, enhancing its evasiveness. The attack begins with an email containing a PDF attachment that leads to downloading a JavaScript file via Discord, ultimately installing a backdoor that communicates with the C2 server. Newer versions of WailingCrab encrypt the backdoor component and eliminate the need for payload retrieval from Discord, instead using MQTT for direct shellcode payload from C2. Discord has acknowledged the abuse of their CDN for malware distribution and plans to implement temporary file links to counteract misuse.

Ransomware attack on London & Zurich caused a significant service outage, starting on November 10, with the attack confirmed on November 14. Clients experienced major disruptions with direct debit payments, leading to cash flow issues and the necessity for short-term loans for at least one customer. Communication from London & Zurich has been sparse and unclear, causing uncertainty amongst clients regarding service restoration. The affected MSP managed to process its first payment since the attack began, leveraging bank loans and director funds to cover financial shortfalls. London & Zurich has stepped up recovery efforts, with API services restored and pending testing on other service areas, expecting full restoration by week's end. Some components of the service, such as customer password rotations, have been completed in anticipation of the direct debit portal going live by November 23. There is no definite timeline for service normalization, and the company has not provided details about the nature of the breach, the attackers, or the extent of data compromise.

An ongoing malware campaign is using zero-day vulnerabilities to infect routers and NVRs with a Mirai-based botnet, capable of conducting massive DDoS attacks. Akamai has detected the payload targeting devices with default admin credentials, installing Mirai variants upon successful exploitation. The zero-day vulnerabilities are currently undisclosed publicly to prevent further misuse, with patches expected to be released in the upcoming month. The botnet, named InfectedSlurs by Akamai, is identified as a variant of the JenX Mirai malware first seen in January 2018, and is linked to the hailBot Mirai variant identified by NSFOCUS in September 2023. Akamai also described a newly advanced web shell, wso-ng, which can stealthily execute commands and steal data, potentially aiding in cyber espionage activities. Attackers have adopted methods such as using legitimate but compromised domains for command-and-control and distribution of malware, with a significant attack involving WordPress sites disclosed by Infoblox in August 2023, attributed to the VexTrio threat actor.

Ensuring all team members are well-educated on cybersecurity threats is fundamental for effective incident response (IR). Regular training and incident simulations for IR teams are essential for preparedness against evolving cyber threats. Adopting a comprehensive IR plan with clear roles, responsibilities, and response strategies is crucial for coordinated action. Technology plays a pivotal role in IR; efficient logging, endpoint detection and response (EDR), and ample storage for data analysis are vital components. Identification of a breach involves balancing alert settings to avoid alert fatigue and documenting Indicators of Compromise (IOCs). Containment strategy should take into account security and business implications, focusing first on critical devices and assets. Eradication of threats should be thorough, aligning with organizational policies, and involve documentation and verification processes. Post-incident recovery should include monitoring for persistent IOCs and implementing root cause fixes to prevent future occurrences. Lessons learned are key for improving future IR capabilities, updating strategies, technologies, processes, and training programs.

Social engineering attacks are increasingly used by hackers to gain unauthorized access to sensitive data, exploiting human elements rather than technical vulnerabilities. An incident at MGM Resorts International highlighted this tactic, resulting in a substantial financial impact estimated at $100 million in lost revenue. Attackers at MGM persuaded an employee to reveal sensitive credentials over the phone, then escalated privileges to deploy ransomware within the IT systems. Similar techniques were used against an energy firm in the UK via AI voice impersonation and against Electronic Arts, leading to network breaches. To address these challenges, Specops offers Secure Service Desk, providing dynamic multi-factor authentication to ensure verifiable identity confirmation. Identity verification options include mobile or email codes, and integration with major Identity Access Management (IAM) tools, enhancing IT help desk security measures. Organizations are advised to strengthen their verification processes to protect against social engineering, with Specops offering free trials and demos of Secure Service Desk to demonstrate its effectiveness.

Akamai has discovered two zero-day vulnerabilities being used to distribute Mirai malware and create a DDoS-capable botnet. The zero-days allow for remote code execution and target routers and network video recorders using default passwords. Patches are expected in December; an interim fix includes changing default passwords to avoid vulnerability. Akamai's Security Intelligence Response Team (SIRT) has not named the affected vendors but published Snort and YARA rules to detect compromises. The campaign exploits common features that may be present across multiple products, possibly due to code reuse. The InfectedSlurs botnet, which includes older JenX and hailBot Mirai code, was undetected by honeypots until October. Links between the botnet and offensive language in its C2 domains, and past activities in DDoS attacks have been identified by Akamai researchers.

North Korean group Diamond Sleet has trojanized CyberLink software to launch a supply chain attack. Over 100 devices in Japan, Taiwan, Canada, and the U.S. affected by the modified CyberLink installer. The malicious installer checks to bypass detection by security tools and limits the time of execution. Microsoft linked the malware to C2 servers previously compromised by North Korean threat actors. The attackers targeted organizations in the defense, telecommunications, and financial sectors. Malware skips execution if security products from CrowdStrike, FireEye, or Tanium are detected. The campaign involves a downloader/loader that retrieves additional payloads disguised as PNG files. This incident follows reports of North Korean actors using fake job interviews and exploiting critical security flaws in JetBrains TeamCity for cyber espionage.

New Relic, a web tracking and analytics company, has alerted its customers to a cybersecurity incident. The company is engaging third-party cybersecurity experts to conduct an investigation into the event. Customers have been advised to be vigilant and monitor their accounts for any suspicious activity, indicating potential account compromise. Details about the nature of the incident, the extent of any data access, and specific customer actions required are currently scarce. New Relic has advised customers they will be contacted directly if any actions need to be taken on their part. The advisory's timing coincides with the US Thanksgiving holiday, which may impact the response from US-based customers. The Register's inquiries for more detailed information about the incident were not answered by New Relic.

North Korean state-sponsored actors are targeting job seekers and employers in sophisticated hacking schemes, according to Palo Alto Networks' Unit 42. The "Contagious Interview" campaign lures software engineers into downloading malware-infected NPM packages from GitHub, ostensibly for job interviews. The "Wagemole" operation involves actors impersonating job applicants for espionage and financial gain, with high confidence in its link to North Korea. Discovered in December 2022, these schemes involve faux recruiters and job postings in tech fields like AI, cryptocurrency, and NFTs. Two previously unknown malware families, BeaverTail and InvisibleFerret, were used to steal information, including credit card and cryptocurrency wallet details. The objectives of these campaigns appear to include using compromised systems as platforms for additional attacks and stealing cryptocurrency. Unit 42 found fraudulent documents and well-maintained LinkedIn and GitHub profiles designed to make the fake personas seem legitimate. The US Justice Department and FBI note these tech workers contribute their earnings to North Korea's weapons funding, a concern echoed by South Korea's government.