Daily Brief

Microsoft has rectified a severe security flaw in Azure CLI that risked credential exposure in GitHub Actions and Azure DevOps logs. The vulnerability, identified as CVE-2023-36052, was discovered by Palo Alto's Prisma Cloud team and could allow unauthenticated remote access to plaintext credentials. Users must upgrade to Azure CLI version 2.53.1 or later to mitigate risks associated with this issue, which also affected log files from Azure DevOps and GitHub Actions. Security notifications were issued to customers who may have used vulnerable Azure CLI commands, prompting them to update via the Azure Portal. Microsoft has updated Azure CLI to prevent the inadvertent disclosure of sensitive data, with defaults now restricting secrets in output for App Service-related updates. A broader application of credential redaction has been implemented across GitHub Actions and Azure Pipelines, albeit not all patterns of secrets are currently covered. Microsoft is working on expanding and optimizing secret pattern detection to further safeguard against unintentional data leaks in CI/CD log outputs.

A group of researchers discovered a vulnerability in AMD's Secure Encrypted Virtualization (SEV) technology, named CacheWarp. CacheWarp allows an attacker to create memory inconsistencies by interrupting context switches, potentially leading to arbitrary code execution or data exposure. The technique involves the use of the APIC timer to induce selective state resets, undermining the SEV's protection mechanisms. The vulnerability affects all versions of AMD SEV, including enhancements like SEV-ES and SEV-SNP, with the latter being more resistant but still vulnerable. CacheWarp is a software-fault attack, not a side-channel or transient execution attack, and operates by introducing errors in page table entries. The researchers demonstrated CacheWarp's potential by extracting private keys, accessing an OpenSSH server without credentials, and gaining root privileges via sudo. AMD was informed about the issue on April 25, 2023, and has plans to release a microcode patch for SEV-SNP and an SEV firmware update for Zen 3 EPYC Milan CPUs. A hardware-level fix is ultimately necessary, and AMD is scheduled to publish details in an upcoming bulletin.

Intel has issued an out-of-band patch for a privilege escalation vulnerability in its Sapphire Rapids, Alder Lake, and Raptor Lake chip families. The flaw, known as 'Redundant Prefix', was identified by Intel researchers and could be exploited for denial-of-service (DoS) or privilege escalation attacks. Initially planned for a March 2024 update, the patch was accelerated to November 2023 due to the flaw's severity, with a CVSS 3.0 score of 8.8. A Google researcher independently discovered the same DoS issue, prompting Intel to synchronize its patch release with Google's planned disclosure under a 90-day policy. Intel will be releasing a technical paper and video detailing the Redundant Prefix issue, specifically instruction encoding that could lead to unpredictable behavior or system crashes. The microcode update has been made available to all customers on supported Intel platforms without the need for a reboot and with no observed performance impact or behavioral changes.

Pharmacy provider Truepill experienced a data breach compromising personal information of approximately 2.3 million individuals. Unauthorized access to Truepill's network was detected on August 31, 2023, with the breach occurring a day earlier. Exposed data may include customer names, contact details, prescription information, but not Social Security numbers. Some affected customers report being unaware of their association with Truepill, raising questions about data management. Legal consequences loom as class action lawsuits claim Truepill failed to adequately secure sensitive healthcare data. Critics are targeting the delay in breach notification and the lack of detail and guidance in the notification letters. Affected individuals noticed suspicious activities on their accounts, with some confirming that their personal data appeared on the dark web. The leaked data may also include addresses, birth dates, medical, diagnostic, and health insurance information, which Truepill did not disclose in their notice.

AlphaLock, a Russian group billing itself as a "pentesting training organization," has a unique approach to cybercrime including performances and a sleek user interface. The group's business model combines hacker training with an affiliate program to monetize these skills in a marketplace called Bazooka Code Pentest Training. Trained hackers are offered a platform to perform "pentesting services" for clients, allowing the threat actors to potentially target specific organizations. Initial contact with AlphaLock was through a public Telegram channel, which they've since switched to a private setting, utilizing the decentralized chat application Matrix. The group also plans to move their communications and recruitment further onto platforms like a YouTube channel. Flare, a threat exposure management company that sponsored the article, offers services to monitor illegal activities, revealing insights into evolving cybercrime ecosystems.

The FBI and CISA have issued fresh guidance on the Royal ransomware, hinting at a potential rebrand or emergence of a spinoff variant due to similarities with BlackSuit ransomware. Evidence of code overlaps and comparable intrusion methods between Royal and BlackSuit suggests a close relationship, possibly indicative of a rebranding effort. Security researchers have discovered nearly identical code between the Royal and BlackSuit ransomware strains, with minor distinctions. Threat actors associated with these ransomware groups have utilised legitimate software and tools, such as AnyDesk, LogMein, and SSH clients, for network tunneling and maintaining persistent access. The Royal ransomware group has amassed over $275 million in ransom demands from more than 350 victims, with individual demands ranging between $250,000 and $11 million. Royal is known for targeting critical national infrastructure sectors, including manufacturing, healthcare, and education, posing serious concerns for national security. CISA and the FBI's advisory provide comprehensive indicators of compromise (IOCs) and mitigation strategies for organizations to defend against these ransomware threats.

Public Docker Engine API instances are under attack, being forcibly integrated into the OracleIV DDoS botnet. Attackers deploy malicious Docker containers using misconfigured public Docker APIs, facilitated by an HTTP POST request. The oracleiv_latest image masquerades as a MySQL Docker image and has been downloaded 3,500 times, but it is used for DDoS attacks rather than its purported purpose. The attack leverages a shell script to execute DDoS strategies including slowloris, SYN floods, and UDP floods. Although the counterfeit container has capabilities to mine cryptocurrency, such activities were not observed by the cloud security firm. Vulnerable MySQL servers have also been identified as targets for the Ddostf DDoS botnet, which can execute commands on new C&C servers sold as DDoS services. Several new DDoS botnets have emerged, showing an increase in such threat actors using sophisticated methods to evade detection and carry out their attacks. XorDdos malware has witnessed a resurgence, targeting Linux devices to turn them into bots for DDoS purposes, with a peak in activity noted in August 2023.

The global average cost of a data breach in 2023 is $4.45 million, bringing severe financial and reputational damages. Traditional cybersecurity defenses are no longer sufficient due to the increasing frequency and costs of data breaches. Continuous security monitoring is advocated as a crucial strategy, providing ongoing vigilance against vulnerabilities and threats. Continuous monitoring offers a dynamic, 24/7 approach to security, unlike periodic assessments that provide only a snapshot of security posture. A report reveals that 74% of internet-exposed web apps containing personal identifiable information (PII) are vulnerable to attack. Organizations must choose between pen testing as a service (PTaaS) or standard pen testing to protect web applications, based on specific needs. PTaaS and standard pen tests each have unique advantages for maintaining robust cybersecurity in an evolving digital landscape. Outpost24 provides solutions for continuous monitoring that help prioritize vulnerabilities and optimize cybersecurity postures.

Dependabot, a tool for automating updates of software dependencies, has been impersonated by malicious actors targeting GitHub-hosted projects. These impostors attempted to trick developers into merging code changes by making pull requests that mimic Dependabot’s legitimate suggestions. CI/CD pipelines, which integrate and deploy software rapidly, connect the internal development with external tools, creating potential security risks. The risks include attacks like typosquatting and dependency confusion, targeting open-source repositories, and exploitation of weakly protected API credentials within the pipelines. Many CI/CD platforms, designed for flexibility, compromise on security measures, leading to potential leaks of sensitive information, such as during the CircleCI breach in early 2023. Best practices for securing CI/CD pipelines involve ensuring credential protection, enabling proactive security measures, and viewing pipelines as high-risk environments. Continuous improvement of pipeline security is necessary to mitigate threats and adapt to an evolving cyber landscape. Integrating security into the development workflow remains a high priority.

A novel malware named Effluence has been discovered targeting Atlassian Confluence servers, exploiting a critical vulnerability. Effluence persists on infected systems even after the Confluence server has been patched, providing attackers with remote access capabilities. Patches for the vulnerability were released on October 31, but organizations are encouraged to investigate further, as the malware is challenging to detect. Unlike typical web shells, Effluence does not require the attacker to log into Confluence, instead hijacking the Apache Tomcat webserver to gain access. The malware allows for a comprehensive range of command executions, sharing similarities with the Godzilla web shell. Effluence does not leave obvious indicators of compromise, complicating efforts for defenders to identify infections. Manual review of installed plugins and monitoring of static pages and response sizes against baseline are recommended for detection. While Effluence mainly targets Confluence, there is potential for the malware to affect other Atlassian products through common APIs.

Proofpoint has identified a phishing campaign targeting Middle East government entities to deliver the IronWind malware. The campaign, active from July to October 2023, is attributed to TA402, also known as Molerats, Gaza Cyber Gang, and APT-C-23. TA402 uses compromised email accounts, Dropbox links, and file attachments (XLL, RAR) to distribute the malware and deploy advanced persistent threats. IronWind represents a tactical shift from previous campaigns that propagated the NimbleMamba backdoor, pointing to the group's evolving strategies. The malware triggers multi-stage sequences to contact attacker-controlled servers and download additional payloads, including the SharpSploit post-exploitation toolkit. Social engineering and geofencing are among the sophisticated techniques employed by TA402 to maintain targeted activity and avoid detection. Despite ongoing regional conflicts, TA402's operations continue, reflecting the group's commitment to collecting intelligence and engaging in cyber espionage.

Vietnamese hackers have been targeting Indian marketing professionals to hijack Facebook business accounts using new Delphi-powered malware. The attackers used Facebook sponsored ads to spread malicious ads and malware that steals login cookies and controls the victims' accounts. The malware campaign involved sending archive files with a malicious executable disguised as a PDF, which deploys a PowerShell script and a decoy PDF document. A rogue library named libEGL.dll is downloaded, which alters Chromium-based web browser shortcuts to load a rogue extension that hijacks Facebook business accounts. The rogue extension mimics the legitimate Google Docs Offline add-on, evading detection while stealing information from open tabs and Facebook accounts. Google filed a lawsuit against individuals in India and Vietnam for using Bard, Google's AI product interest, to spread malware and steal social media credentials. Earlier in the year, Meta reported deceptive browser extensions in official stores claiming to offer ChatGPT tools while Meta blocked over 1,000 unique malicious URLs from being shared on its services.

ETSI plans to make TETRA radio encryption algorithms public, allowing academic research and vulnerability testing. TETRA is used by government, law enforcement, and emergency services across Europe and the UK for secure communications. Security firm Midnight Blue revealed five critical vulnerabilities that could let attackers intercept TETRA communications. The decision to open source TETRA cryptographic algorithms followed unanimous agreement by the technical committee overseeing the standard. Opening the encryption algorithms to the public domain aims to increase security by enabling independent reviews and bug fixes. TEA 1, 2, 3, and 4 are the original set of TETRA Air Interface cryptographic algorithms, with three new quantum-resistant algorithms, TEA 5, 6, and 7, added in 2022. Researchers delayed the disclosure of vulnerabilities for 1.5 years due to the sensitive nature of TETRA networks and the complexity of implementing fixes. The move to publish the algorithms does not yet have a set date, but aims to enhance security measures against the future threat of quantum computing decryption.

The UK National Cyber Security Centre (NCSC) has declared that the cybersecurity resilience of critical national infrastructure (CNI) is not adequate. The annual report highlights the increasing threats, particularly from nation states such as Russia, China, Iran, and North Korea, and state-aligned actors. The NCSC is working towards enhancing security across CNI sectors in the face of evolving threats, aiming to keep pace with the adversaries and improve resilience. Serious cyber-attacks on critical services, such as Royal Mail International and NHS supplier Advanced, demonstrate the immediate risks to the UK's CNI. The report calls for a better baseline in cybersecurity across all CNI sectors by 2025, including the need for information sharing and international cooperation to build resilience. Commercial pressures on CNI operators, particularly in the private sector, can sometimes lead to cybersecurity being deprioritized in favor of shareholder value. International efforts and new regulations, including the US's Critical Infrastructure Act and the EU's NIS2, CER, and DORA, aim to improve CNI cybersecurity standards globally.

US-based research group IPVM has accused Hikvision of creating technology to monitor Muslim students fasting during Ramadan. Hikvision, on its LinkedIn page, confirmed winning a tender for a smart campus project but denied developing features to identify ethnic minorities. The government contract required the implementation of a "Smart Campus" system at Minjiang University, which included monitoring various student activities. The system reportedly has a feature for "Assisted Analysis Of Ethnic Minority Students," potentially alerting administrators about students who fast. The smart campus system tracks extensive personal details such as library activity, holiday travel, passport use, and party membership applications. Concerns are raised due to China's history of human rights violations against Muslim minorities, including bans on fasting for some government workers. Hikvision had previously been implicated in providing technology to identify Uyghur Muslims, a claim it denied, stating that such identification features were removed in 2018.