Daily Brief

The Atomic Stealer malware, typically targeting Windows systems, has now expanded its reach to macOS. Malwarebytes reports the use of a fake web browser update scheme, known as ClearFake, to deliver Atomic Stealer to Mac users. ClearFake, a relatively new malware distribution operation, employs compromised WordPress sites to issue fraudulent update alerts. Atomic Stealer is a stealer malware family sold for $1,000 per month, capable of extracting information from web browsers and cryptocurrency wallets. Malware distributors have been leveraging themes related to fake browser updates to spread various malware, including the ClearFake campaign targeting Mac systems. The method of propagation for this stealer malware includes malicious ads, search engine redirects, and drive-by downloads, among others. Updates to LummaC2 stealer include a unique anti-sandbox technique and claims of a persistent method to extract Google Account cookies that remain active even after password changes.

The LockBit ransomware group is exploiting a critical vulnerability in Citrix NetScaler ADC and Gateway appliances. U.S. and Australian agencies, including CISA, FBI, and ACSC, issued a joint advisory about the exploitation of the Citrix Bleed flaw. This vulnerability, identified as CVE-2023-4966, bypasses passwords and MFA, allowing session hijacking and elevated permissions for attackers. Despite a fix by Citrix last month, the flaw was weaponized as a zero-day exploit since August 2023. Mandiant reported that multiple groups are exploiting the vulnerability across various regions and industry verticals. LockBit utilizes the flaw for initial access, then deploys remote management tools for subsequent malicious activities. A comparative study of ransomware on Windows and Linux underscores the growing Linux ransomware threat to medium-to-large organizations, with a trend towards minimalism and stealth in attack execution.

Binance and CEO Changpeng Zhao plead guilty to financial crimes involving money laundering and sanctions evasion. The cryptocurrency exchange will pay $10 billion in fines and settlements to the US government. Binance failed to register as a money service business, violated anti-money laundering laws, and transacted with individuals in sanctioned countries. US Attorney General Merrick Garland stated that Binance chose profits over compliance with US laws to gain market share. The company knowingly allowed US users access to its platform even after the supposed cut-off in 2019. Binance must now implement robust anti-money laundering measures and report to US agencies for three years. Zhao resigns as CEO but will remain a majority shareholder; he faces personal fines amounting to $150 million, payable to the CFTC. Binance still confronts potential charges from the Securities and Exchange Commission, which was not part of the settlement.

The Idaho National Laboratory (INL), crucial for U.S. atomic energy and national security research, was targeted by a cyberattack from 'SiegedSec' hacktivist group. SiegedSec claims to have accessed and leaked extensive human resources data, which includes information on a vast number of personnel and associates. The leaked data were posted on hacker forums and Telegram, demonstrating SiegedSec's pattern of bypassing ransom negotiations in favor of public disclosure. Screenshots disseminated by the hackers suggested they had infiltrated INL systems to an extent that allowed them to create internal announcements about the breach. The INL spokesperson has confirmed the cyberattack without specifying details, stating that immediate measures were taken to safeguard affected data and federal law enforcement is investigating the incident. The compromised server supported INL’s Oracle HCM system, used for Human Resources applications, but there is no indication that any nuclear research information was accessed or disclosed. The attack on INL, a component of the U.S.'s critical infrastructure, is expected to result in increased attention and pursuit of SiegedSec by law enforcement agencies.

The Lumma information-stealer malware claims it can restore expired Google authentication cookies. Restored session cookies can lead to account hijacking, posing significant security risks. The alleged feature was announced on a cybercriminal forum and is exclusive to the malware's "Corporate" plan subscribers at $1,000/month. The functionality, which is designed to work once per key, allows unauthorized access to Google accounts even after sessions have expired. There is skepticism in the security community as the feature has not been independently verified, and Google has not commented on the potential exploit. Lumma's developers issued another update purportedly circumventing Google's defenses against cookie restoration. The similar feature is also found in another malware, Rhadamanthys, suggesting a potential common vulnerability exploited by cybercriminals. Users are advised to take precautions to avoid malware infections, as no definitive countermeasure by Google has been confirmed.

Microsoft has introduced a new bug bounty program targeting their Microsoft Defender platform, offering rewards ranging from $500 to $20,000. In certain cases, rewards could be higher at Microsoft's discretion, depending on the severity and quality of the reported security vulnerabilities. Top rewards will be given for critical severity reports that expose remote code execution vulnerabilities in the Microsoft Defender for Endpoint APIs. This program is part of Microsoft's effort to engage with the global security research community to enhance the security of their products. Microsoft also announced that over the past year, it has awarded nearly $59 million for eligible vulnerability reports across various bug bounty programs. The Microsoft Defender Bounty Program is currently focused on the Defender for Endpoint APIs but may expand to other Defender products and services in the future. Details and guidelines for the program, including a list of eligible vulnerabilities and information on reward distribution, are available on Microsoft's FAQ page.

AutoZone, a major automotive parts retailer and distributor, reported a data breach impacting 184,995 individuals. The breach was linked to the broader Clop ransomware gang exploiting a MOVEit file transfer zero-day vulnerability. Breach notification indicates personal data was exfiltrated, including full names and social security numbers. AutoZone is offering identity theft protection services and advises affected individuals to stay vigilant for the next 24 months. The leaked data attributed to the breach includes employee details, tax information, payroll documents, and more, but no customer data was present. Clop ransomware gang earlier claimed responsibility for the attack and published the stolen AutoZone data, which is being verified for authenticity. The MOVEit attacks are connected to an international cybercrime pattern, with expectations that Clop could gain $75 million in ransom payments.

CISA ordered US federal agencies to patch the 'Looney Tunables' Linux bug, an actively exploited vulnerability allowing root access. Qualys researchers discovered a buffer overflow in GNU C Library's dynamic loader, affecting Fedora, Ubuntu, and Debian distributions. Administrators urged to patch systems due to publicly available PoC exploits and active exploitation of the CVE-2023-4911 vulnerability. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, with a deadline for federal agencies to patch by December 12. The Kinsing malware campaign is exploiting the flaw to achieve root access in cloud environments, leading to further attacks and data theft. Attackers exploit vulnerabilities in PHPUnit to install a JavaScript web shell for persistent access and reconnaissance in cloud services. Kinsing attackers aim to harvest cloud service provider credentials and deploy crypto mining malware in cloud systems like Kubernetes, Docker APIs, Redis, and Jenkins.

Sumo Logic, a SaaS log analytics company, detected unauthorized access on one of its AWS accounts due to a compromised credential. No customer data was ultimately compromised during the incident, which was first detected on November 3. Immediate actions were taken, including securing the infrastructure and rotating potentially exposed customer credentials. Sumo Logic advised all customers to rotate their credentials, especially API access keys, even if they were not directly impacted. Third-party forensic specialists were involved in the investigation to confirm the integrity of customer data and closure of the incident. The company plans to undertake additional evaluations to identify measures to prevent future incidents and strengthen overall security. The response to the incident was timely and transparent, with frequent updates to customers and praised by cybersecurity experts. Experts view this incident as a reminder of the importance of proactive security measures, such as regularly rotating API keys.

Citrix has reiterated to administrators the importance of invalidating all user sessions after applying patches for the CVE-2023-4966 vulnerability, known as 'Citrix Bleed'. The company previously patched the flaw in early October but active exploitation has occurred since at least late August 2023. Attackers have been stealing authentication tokens through this vulnerability, allowing them access to devices even after patches are applied. Mandiant revealed that exploited NetScaler sessions continue to pose a risk after patching, enabling network lateral movement or further account compromises. The warning follows reports that the LockBit ransomware group is leveraging the Citrix Bleed flaw, as highlighted by a joint advisory from CISA, the FBI, and others. Boeing disclosed an instance where LockBit 3.0 affiliates exploited CVE-2023-4966, leading to a significant data breach and subsequent leak on the dark web. CISA's malware analysis report indicates that the exploit has been used for malicious activities including saving registry hives and dumping LSASS process memory. It's reported that over 10,000 Citrix servers exposed to the internet were vulnerable to attacks a week prior to the advisory.

DarkGate and Pikabot malware have surged as successors to the dismantled Qakbot botnet, posing significant risks to enterprises. A complex phishing campaign, initially distributing DarkGate, added Pikabot as its main payload, showcasing advanced tactics reminiscent of Qakbot's methods. The phishing campaign exploits email trust by replying to or forwarding ongoing discussion threads, enticing users to download a ZIP file containing malware. The attackers have been trialing various droppers to infect systems; the campaign's primary payload shifted from DarkGate to Pikabot in October 2023. DarkGate supports multiple malicious functions, including remote access, cryptocurrency mining, and data theft, while PikaBot features robust anti-analysis measures and versatile payload delivery. Cofense emphasizes the sophistication of the threat actors behind these campaigns, advising organizations to acclimate to their Tactics, Techniques, and Procedures (TTPs).

Criminal IP, an AI SPERA-developed Cyber Threat Intelligence (CTI) search engine, has integrated with VirusTotal, providing IP address and URL scans. VirusTotal aggregates threat intel from over 70 antivirus engines and contributors, enhancing global cybersecurity through collective intelligence. Criminal IP specializes in real-time threat detection using AI to collect threat information primarily focusing on IP addresses and domains. As a VirusTotal contributor, Criminal IP aids in detecting suspicious IPs, domains, or URLs, and contributes additional detailed analysis for users. The newly added URL scan feature by Criminal IP on VirusTotal includes data extraction on network logs, associated IPs, and potential website vulnerabilities. Criminal IP offers tiered membership plans, from Free to Pro, to access its comprehensive threat intelligence services, accommodating different user needs. AI SPERA released Criminal IP in April 2023 after a year-long beta, creating partnerships with global security firms and achieving high compliance standards. Criminal IP provides multilingual support, reflecting its global user engagement and commitment to diverse cybersecurity communities.

A Software Bill of Materials (SBOM) is now essential to meet regulatory and buyer demands, providing a detailed list of an application's components and metadata. The U.S. Government's Executive Order from May 2021 stressed the importance of SBOMs in improving the nation's cybersecurity. Critics suggest that SBOMs may not offer a complete view of application attack surfaces due to their complexity and continuous evolution. The concept of an eXtended Software Bill of Materials (XBOM) has been introduced as a way to provide a more accurate and comprehensive understanding of applications, infrastructure, and pipelines. XBOMs aim to enhance SBOMs by offering a fuller inventory of application components, related risks, and tracking modifications over time. A webinar titled "Why You Need an XBOM: An eXtended Software Bill of Materials" is scheduled to discuss the limitations of SBOMs and the benefits of XBOMs for application and supply chain security. The webinar, sponsored by Apiiro, will take place on 28 November and aims to guide attendees on elevating their cybersecurity approach using XBOMs.

The Play ransomware strain is being offered as Ransomware-as-a-Service (RaaS) to cybercriminals. Adlumin's report highlights consistent tactics across various attacks, implying use by affiliate purchasers of the RaaS. Attacks feature the use of the same malware-hiding techniques, account creation passwords, and commands. Play ransomware exploits Microsoft Exchange Server vulnerabilities and uses double extortion tactics. The shift to RaaS indicates the evolution of Play from being operator-exclusive to commercially available for affiliates. The accessibility of RaaS kits equipped with tools and support is attracting a broader range of cyber attackers. Businesses and authorities are advised to prepare for an increase in cyber incidents due to the proliferation of RaaS offerings like Play.

Malwarebytes is offering a 50% discount on its Premium + Privacy VPN bundle for Black Friday through Cyber Monday, ending November 30th. The promotional bundle includes real-time malware protection, exploit protection, and behavior detection for ransomware attacks. Malwarebytes Premium actively monitors network connections to block communication with malicious sites and C2 servers. The Privacy VPN feature enables anonymous browsing and downloading, with access to 500 servers across 30+ countries. The VPN service is based on the WireGuard protocol known for modern, high-performance, secure VPN connections. The limited-time offer is aimed at consumers looking for comprehensive cyber protection at a reduced cost. BleepingComputer has a partnership with Malwarebytes and will earn a commission from purchases made via links in the article.