Daily Brief

US-based research group IPVM has accused Hikvision of creating technology to monitor Muslim students fasting during Ramadan. Hikvision, on its LinkedIn page, confirmed winning a tender for a smart campus project but denied developing features to identify ethnic minorities. The government contract required the implementation of a "Smart Campus" system at Minjiang University, which included monitoring various student activities. The system reportedly has a feature for "Assisted Analysis Of Ethnic Minority Students," potentially alerting administrators about students who fast. The smart campus system tracks extensive personal details such as library activity, holiday travel, passport use, and party membership applications. Concerns are raised due to China's history of human rights violations against Muslim minorities, including bans on fasting for some government workers. Hikvision had previously been implicated in providing technology to identify Uyghur Muslims, a claim it denied, stating that such identification features were removed in 2018.

CISA has mandated federal agencies to fix critical vulnerabilities in Juniper Junos OS by November 17, 2023. The directive responds to active exploitation of five security flaws, potentially allowing remote code execution on affected devices. Juniper acknowledges confirmed exploitations and urges customers to update systems immediately. The exploitation details remain undisclosed, highlighting the urgency for mitigation. CISA also reports potential rebranding of Royal ransomware to BlackSuit, noting coding similarities. Cyfirma reveals critical exploit sales on darknet, indicating heightened risk from ransomware gangs. Healthcare organizations are targeted via ScreenConnect; hacking groups seek persistent access through remote access tools.

A recent academic study uncovered a method to compromise SSH server private RSA keys on certain devices by exploiting computational errors. The vulnerability does not affect systems using OpenSSL, LibreSSL, or OpenSSH, sparing a significant portion of internet-connected devices. Impersonation of devices through man-in-the-middle attacks could allow attackers to intercept user login information and monitor their activities. The research found that faulty signatures due to computational errors could be used to deduce private SSH keys by passive network monitoring. The team scanned billions of SSH records over seven years, identifying over 590,000 invalid RSA signatures and deriving private keys from 4,900 of them. Four manufacturers—Cisco, Zyxel, Hillstone Networks, and Mocana—were found to have products susceptible to key compromise; Cisco and Zyxel have since addressed the issue. The study suggests that certain Internet-of-Things devices and embedded systems may be at risk, and it calls for further research into potential vulnerabilities in IPsec implementations.

Google has filed a lawsuit against three individuals for distributing malware disguised as its Bard AI chatbot, intended to steal social media credentials from small businesses. The tech giant is seeking legal action for trademark infringement, citing the unauthorized use of its logos in fraudulent advertisements promoting the fake Bard download. Google aims to secure a court order preventing the scammers from establishing domains and to enable domain registrars in the US to disable such domains. If successful, the lawsuit could deter future scams and establish a clearer mechanism for addressing similar fraudulent activities. In a separate lawsuit, Google is combating another group for exploiting the DMCA takedown process by filing false copyright claims against competitors, which has led to the unjustified removal of content from Google Search. Additionally, a federal judge has dismissed some claims in a lawsuit against Meta's Llama language model, which authors and a comedian accused of copyright infringement; however, the judge offered the plaintiffs an opportunity to amend their complaint. Google has filed approximately 300 takedown notices related to the scam group and seeks damages, including profits made from the scam.

Cybercriminals exploited Ethereum's 'Create2' function to steal $60 million from 99,000 victims over six months. 'Create2' allows the pre-calculation of contract addresses, enabling the deployment of contracts that bypass wallet security alerts. The attackers trick victims into transferring assets to seemingly legitimate but malicious addresses created using 'Create2'. In one observed case, a victim lost $927,000 in GMX tokens after signing a transaction to a pre-computed address. Another method, 'address poisoning,' involves creating addresses similar to known ones, deceiving users into sending assets to the attackers. Scam Sniffer detected 11 victims of 'address poisoning,' with one losing $1.6 million in a single transaction. MetaMask and other crypto service providers have issued warnings about these kinds of sophisticated scams. The security community advises thorough verification of recipient addresses in all cryptocurrency transactions to prevent falling victim to such scams.

The Royal ransomware gang has targeted over 350 organizations worldwide, with ransom demands exceeding $275 million since September 2022. The FBI and CISA updated their advisory to include the latest information on the Royal ransomware operation's methods and victims. The gang frequently uses phishing emails to gain initial access and executes data exfiltration and extortion before encrypting the victims' data. If ransoms are not paid, the Royal ransomware gang publishes the victims' data on a leak site. Advisories suggest Royal ransomware may be linked to, or considering a rebrand with, BlackSuit ransomware, which shares similar coding characteristics. Royal Ransomware has connections to the infamous Conti cybercrime gang and has shown an increased intensity in malicious activities since September 2022. The gang has the capability to encrypt Linux systems targeting VMware ESXi virtual machines and conducts callback phishing attacks for network infiltration.

Cyberattack targeted DP World Australia, causing significant disruption in Australian ports. DP World holds a pivotal role, managing about 10% of global container traffic with operations in 40 countries. The attack, occurring on November 10, impacted land-side freight, leaving about 30,000 containers immobile. Company's emergency protocols were activated; efforts involve cybersecurity experts to restore systems. Operations are resuming slowly; delayed goods include critical and time-sensitive items, with damages estimated in millions. An ongoing internal investigation is probing data access issues; no confirmation of data exfiltration yet. DP World Australia has contacted the Office of the Australian Information Commissioner amid concerns of potential personal information compromise.

CISA has issued a warning for federal agencies to address critical vulnerabilities in Juniper devices by updating or restricting access to the J-Web interface. The urgency comes after Juniper confirmed that the vulnerabilities (CVE-2023-36844 to CVE-2023-36847) have been actively exploited in the wild. ShadowServer and watchTowr Labs detected exploitation attempts and emphasized the ease of exploiting these flaws due to the crucial role JunOS devices play in networks. Over 10,000 Juniper devices with exposed J-Web interfaces were identified, necessitating immediate security upgrades. CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog, requiring Federal Civilian Executive Branch Agencies (FCEB) to secure affected devices within four days. While the mandate mainly concerns U.S. federal agencies, CISA strongly advises all entities, including private companies, to prioritize fixing the vulnerabilities to prevent potential risks.

Israeli authorities have issued a warning about the BiBi wiper malware attacking Linux and Windows computer systems. Security firms ESET and SecurityJoes identified the Linux iteration of the malware in late October, attributing it to pro-Hamas hacktivists. Israel's CERT released an alert with indicators to help detect and prevent the malware, urging organizations to implement them in their security systems and report any detections. The wiper malware, without ransom or encryption, irreversibly destroys data by overwriting files and impairs system recovery by disabling backups and recovery modes. The Windows variant of BiBi avoids damaging system-critical .EXE, .DLL, and .SYS files, but renames other files with random bytes and characters to complicate restoration. Initial infection methods are currently unknown, but the malware is designed to use multiple threads for rapid execution, and uses simple obfuscation methods to bypass older antivirus detection. Connections have been drawn between the Karma hacktivist group, believed to be orchestrating the campaign, and previous Iranian hacker activities noted for similar data disruption tactics. Detection tools for the malware have been provided by BlackBerry, SecurityJoes, and Israel's CERT, including YARA rules and file hashes.

AI SPERA has integrated its Cyber Threat Intelligence search engine, Criminal IP, with Cisco SecureX/XDR to enhance cyber threat analysis. The integration aims to help organizations detect and mitigate threats more effectively by prioritizing risks and offering real-time insights. Cisco SecureX provides a unified platform with automation and intuitive threat detection and response capabilities. Through the integration, users can assess risks with enriched threat intelligence data, including real-time risk scores for IPs and domains. Features include access to detailed threat information such as open ports, vulnerabilities, WHOIS data, connected domains, phishing scores, and abuse history. This new capability will be available via the Integration Modules tab and can be accessed by contacting AI SPERA for the integration code. AI SPERA's service Criminal IP launched globally on April 17, 2023, and has established partnerships with major global security firms.

Denmark's critical infrastructure organizations faced the most significant cyberattacks in the country's history, impacting 22 companies. Attackers exploited unpatched vulnerabilities in Zyxel firewalls, leading to breaches and forcing some organizations to enter "island mode." Potential involvement of Sandworm, a group associated with Russia's GRU, as well as indications of highly coordinated and resourced attack efforts. Eleven of sixteen energy organizations targeted in the first wave were compromised due to the exploitation of CVE-2023-28771 for reconnaissance purposes. Subsequent waves of attacks included attempts to incorporate compromised infrastructure into the Mirai botnet for DDoS attacks, and potential exploitation of Zyxel firewall zero days prior to their public disclosure. SektorCERT highlighted that some compromised organizations were unaware of the presence of Zyxel firewalls in their networks, installed by third-party suppliers without thorough communication. The final wave involved alarm signals of advanced persistent threat (APT) traffic linked to previous Sandworm IP addresses and resulted in minor operational disruptions. SektorCERT commends the quick response of its team and the affected organizations, and emphasizes the need for attention to systemic vulnerabilities in critical infrastructure.

A new ransomware group named Hunters International has surfaced, utilizing Hive's source code and infrastructure after Hive was dismantled by law enforcement. Hive, once a prominent ransomware-as-a-service operation, ceased after a coordinated crackdown earlier in January 2023. Hunters International has been identified through code similarities to Hive, dispelling rumors of being a simple rebrand by stating they bought assets from Hive's developers. Five victims have been claimed by Hunters International, with a focus on data exfiltration rather than just encryption. The group's ransomware is built on Rust for enhanced security against reverse engineering, echoing Hive's shift to the language in the previous year. Hunters International's malware is designed for simplicity, with fewer command line parameters and streamlined processes compared to Hive's. Bitdefender's report suggests that while Hive was a significant threat, the impact and status of Hunters International in the cybercrime landscape remain to be proven.

Marketing departments extensively use SaaS applications for operations, facing unique security challenges due to various users and interconnected systems. External users, such as agency partners, require careful management of permissions to sensitive data, with the risk of access persisting even after employees leave. Publicly shared links for collaboration pose a risk of exposing sensitive assets if such links fall into the hands of unauthorized individuals. The connection of marketing apps to company credit cards requires vigilant security measures to prevent misuse and financial data breaches. Highly sensitive customer and prospect data within marketing SaaS tools necessitate robust access controls, multi-factor authentication, and user behavior monitoring. Marketing teams' reliance on numerous connected apps with varying permission levels increases the risk of intrusive access to company data. SaaS Security Posture Management (SSPM) solutions are critical for marketing teams to monitor and manage access, ensuring brand reputation and data integrity. SSPM platforms allow for collaboration between security and marketing departments to maintain productivity without compromising the security of marketing applications.

Data diodes, also known as unidirectional gateways, are designed to permit one-way data transfer to protect critical networks. These devices are not new but are gaining commercial popularity due to their unique ability to mitigate cybersecurity risks. The use of data diodes can prevent attackers from compromising less secure networks to reach highly sensitive data. Data diodes provide security with lower lifetime maintenance costs compared to traditional firewalls. They are particularly valuable in sectors where IT systems integrate with significant physical infrastructures, such as energy or manufacturing. While not a complete cybersecurity solution, data diodes considerably reduce the attack surface for critical systems. Industries are increasingly considering data diodes as a key component in securing IT and OT (operations technology) interconnections.

Traditional antivirus (AV) solutions are inadequate for stopping the latest cyber threats, particularly AI-enhanced intruders aiming at data exfiltration. Cybercriminals exploit sensitive information by capturing it from compromised systems, seeking to leverage it for ransom and extortion. BlackFog introduces on-device anti data exfiltration (ADX) technology, utilizing AI-based behavioural analytics to prevent unauthorized data transmission. ADX technology restricts even users with administrator privileges from sending unauthorized data outside the network, enhancing security measures. A webinar hosted by The Register with BlackFog's CEO, Dr Darren Williams, will discuss the effectiveness of ADX technology versus traditional AV solutions. The session aims to educate on securing devices and data against ransomware and how to implement ADX technology for superior cyber defence. Interested participants are invited to sign up for the webinar on data exfiltration prevention, scheduled for 15 November.