Daily Brief

A malicious campaign has been discovered using Google Ads to distribute a trojanized CPU-Z tool, which delivers Redline info-stealing malware. Malwarebytes analysts linked this malvertising operation to a previous one involving a fake Notepad++ update. The ad directs users to a convincing clone of WindowsReport, a legitimate Windows news site, which hosts the harmful download. The trojanized CPU-Z installer is signed with a valid certificate, reducing the likelihood of detection by security software. Victims who download and execute the file encounter the 'FakeBat' malware loader, which then retrieves and executes the Redline Stealer on the computer. Redline Stealer can collect a wide array of personal information from the victim’s machine, including passwords, cookies, and cryptocurrency wallet data. Users are advised to be cautious when clicking on promoted search results and to verify website authenticity or to use ad-blockers to prevent exposure to such threats.

A zero-day vulnerability in SysAid software has been exploited to launch Clop ransomware attacks. Microsoft’s Threat Intelligence Center identified the exploitation of the vulnerability, CVE-2023-47246, initially observed on November 2. The vulnerability allows attackers to perform unauthorized code execution on affected SysAid servers. Hackers gained access through a WAR file uploaded to the webroot, enabling them to deploy a webshell, execute scripts, and eventually download GraceWire malware. SysAid has issued a software update that patches the vulnerability, urging users to upgrade to version 23.3.36 or later. Attackers specifically checked for the absence of Sophos security products before proceeding with their malicious activities. Post-attack, threat actors attempted to delete evidence by removing activity logs and set up a Cobalt Strike listener for continued access. Indicators of compromise have been shared by SysAid, including file names, hashes, and IP addresses linked to the attack.

A new malvertising campaign is impersonating a legitimate Windows news portal to distribute a malicious version of a system profiling tool called CPU-Z. Fake sites are also targeting utilities like Notepad++, Citrix, and VNC Viewer, employing domain names and cloaking techniques to evade detection. When users click on the malicious ads, they are redirected to a fraudulent website that hosts a signed MSI installer with a harmful PowerShell script. The installer deploys a loader called FakeBat, which in turn installs RedLine Stealer to compromise the user's system. Cloaking methods show an innocuous blog to non-targeted users, concealing the malware distribution to targeted individuals. The misuse of Google Ads for distributing malware is part of a broader trend that includes other methods like AiTM phishing kits and the Wiki-Slack attack technique. eSentire highlights vulnerabilities in platforms like Slack where previews of Wikipedia links can be manipulated to point to malicious websites.

MOVEit cybercriminals have exploited a fresh zero-day vulnerability in on-prem SysAid IT service desk software, linked to affiliate Lace Tempest of the Cl0p ransomware gang. Microsoft's Threat Intelligence discovered the attack, which affected a limited number of SysAid customers, and immediately reported it to SysAid for patching. The attackers achieved code execution by uploading a WAR archive with a web shell into SysAid's Tomcat web service, allowing for PowerShell scripts to install malware and erase evidence. SysAid promptly released patches, and users are advised to upgrade to the fixed version, check for indicators of compromise, and monitor any suspicious file uploads or child processes spawned by Wrapper.exe. The affiliated Lace Tempest's sophisticated techniques are comparable to those of a nation-state Advanced Persistent Threat (APT) group, with a history of significant cyberattacks this year. Cl0p, known for ransomware with double extortion, has recently opted for pure data extortion without encryption, a shift in tactics echoing broader trends in the cybercrime landscape.

Russian state hackers, identified as the Sandworm group, have adopted living-off-the-land (LOTL) techniques to disrupt critical industrial control systems, particularly in Ukraine. Sandworm's new methods facilitate quicker and resource-efficient attacks on power infrastructure, presenting an increased challenge for detection. Mandiant responded to an attack in Ukraine, attributing it to Sandworm, who accessed operational technology (OT) environments as early as June 2022. During an October 2022 power outage, Sandworm executed native MicroSCADA utility commands to disable substations, indicating a strategic use of LOTL techniques. Subsequently, Sandworm employed the CADDYWIPER data-destroying malware on IT environments but spared the SCADA system and hypervisor, hinting at possible operational miscoordination. Analysis revealed that the hackers prepared for system disruption several weeks in advance, possibly coordinating with missile strikes for greater impact. Mandiant asserts the evolution in Sandworm's OT arsenal suggests their capability to exploit OT systems from various vendors, increasing the threat to global infrastructures.

Wing Security has expanded its SaaS security capabilities to address the risks associated with email auto-forwarding rules that may harm data security. The company now offers integrations for Gmail and Outlook as part of its solution to identify and control unintended sharing of sensitive information via auto-forwarded emails. Auto-forwarding emails are widely used for efficiency but pose risks by potentially sharing confidential data with external parties without authorization. Wing's shadow IT discovery process is designed to identify and mitigate unauthorized SaaS application use within an organization, enhancing security and compliance. The company's solution includes connecting to major SaaS applications, scanning endpoints for SaaS signature detection, and the new email scanning feature to uncover SaaS usage. Customers benefit from the ability to not only detect risky behavior but also directly remediate issues within Wing's platform, securing their digital environments.

Iranian nation-state actors have implemented a new command-and-control (C2) framework, dubbed MuddyC2Go, targeting Israeli entities. MuddyC2Go, developed in the Go programming language, is associated with the state-sponsored group MuddyWater, linked to Iran's Ministry of Intelligence and Security. The C2 framework has likely been active since early 2020, and its use follows the exposure of PhonyC2, another C2 platform deployed by MuddyWater. Attacks typically commence with spear-phishing emails containing malicious files or links, ultimately leading to additional payload deliveries. To avoid email security detection, the attackers have begun using password-secured archives that distribute executables with built-in PowerShell scripts. These scripts connect to the MuddyWater C2 server, which sends out PowerShell scripts executed at regular intervals to wait for commands. Despite the full capabilities of MuddyC2Go being uncertain, it is presumed to play a key role in generating PowerShell payloads for post-exploitation actions. Security recommendations include disabling PowerShell if unnecessary, or otherwise, intensively monitoring PowerShell activities.

OpenAI's API and ChatGPT services have been disrupted due to DDoS attacks within the past 24 hours. These attacks caused periodic outages, leading to error messages for users attempting to access ChatGPT. OpenAI has been working on mitigating the outages caused by an "abnormal traffic pattern." The group known as Anonymous Sudan has claimed responsibility for the attacks, citing biasness in ChatGPT's responses. Anonymous Sudan has been active since January 2023 and has previously launched similar attacks against Microsoft services. The use of Layer 7 DDoS attacks has been effective in overloading the server and network resources of the targeted services. There are speculations among cybersecurity researchers of a potential false flag, suggesting possible links between Anonymous Sudan and Russia. OpenAI has not officially commented on the attribution of the attacks or the specific details of the ongoing outages.

Mandiant's intelligence team identified a coordinated cyberattack by Russia's Sandworm in conjunction with physical missile strikes as the cause of power outages in Ukraine. Cyber operatives gained access to the operational technology (OT) of a Ukrainian power plant and executed an attack that coincided with missile strikes, affecting about one-third of the country's power. Sandworm's intrusion tactics remain unclear, but their presence was detected for up to three months within the plant's SCADA system before initiating the power outage. The cyberattack involved the use of "a.iso" disc image to deliver a command that shut down substations, followed by a variant of the CaddyWiper data-wiping malware targeting the plant's IT environment. The timing of the cyberattack suggests possible coordination with Russian kinetic military operations, although Mandiant cannot conclusively confirm this. The report challenges the misconception that fears of Sandworm's potential to disrupt critical infrastructure may have been exaggerated, highlighting the diligence of Ukrainian defenders in mitigating such threats.

Security researchers have discovered a new cybersecurity tool called Predator AI, which targets cloud services and web applications. Predator AI can exploit common vulnerabilities in various web-based services, including AWS, Twilio, WordPress, Magento, OneSignal, Stripe, and PayPal. The toolkit includes over 11,000 lines of Python code and offers a GUI for executing its numerous functions, including the creation of information-stealing malware. Although the tool is supposedly for educational use, it harbors malicious features and is capable of creating undetectable malware for cybercrimes. Predator AI has an optional chat-bot assistant powered by OpenAI's ChatGPT, designed to answer operational questions and potentially handle requests. Despite its educational disclaimer, Predator AI presents serious risks and organizations should verify their defenses against the techniques it employs. Security experts advise vigilance over software capabilities as it may use code and attack methods found in other toolkits and continues to be actively developed.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has cataloged a severe vulnerability in the Service Location Protocol (SLP) after evidence of active exploitation surfaced. The vulnerability, identified as CVE-2023-29552 with a CVSS score of 7.5, raises concerns over potential DoS amplification attacks. Security firms Bitsight and Curesec publicized the flaw in early April, highlighting its capability for a significant amplification factor in DoS attacks. Attackers can exploit this flaw by registering services and using spoofed UDP traffic to greatly amplify the impact of DoS attacks on networks and servers. The precise methods of exploitation have not been disclosed, though the acknowledged threat illustrates the potential for resource-limited attackers to cause considerable disruption. The CISA mandate requires federal agencies to implement prescribed mitigations, such as disabling SLP on systems within untrusted networks, by November 29, 2023. The alert emphasizes the urgency of addressing the flaw to defend against the documented real-world attacks exploiting this vulnerability.

Microsoft's new Windows 11 build now excludes firewall rules for SMB1 when creating new Server Message Block (SMB) shares, enhancing default network security. This change brings SMB firewall rules closer to the behaviour of the Windows Server "File Server" role, omitting inbound NetBIOS ports 137-139. Administrators can still make necessary configurations to the "File and Printer Sharing" group and modify the new firewall group. Microsoft plans future updates to remove inbound ICMP, LLMNR, and Spooler Service ports, restricting access to SMB sharing-necessary ports only. Alternative connections to an SMB server via TCP, QUIC, or RDMA over custom network ports are now supported by the SMB client, deviating from the hardcoded defaults. As part of recent security improvements, Windows 11 administrators can enforce encryption for all outbound connections via SMB client and configure systems to block sending NTLM data over SMB on remote outbound connections. These changes are part of Microsoft's extensive attempt to enhance Windows and Windows Server security following the disabling of the outdated SMB1 file-sharing protocol and strengthening defences against brute-force attacks with an SMB authentication rate limiter.

Microsoft and Meta are implementing different strategies to combat misinformation during the upcoming elections in 2024, though the efficacy of these strategies is yet to be determined. Microsoft's strategy entails launching a five-step election protection plan in the United States and other countries where critical elections will take place in 2024. One of these steps is the Content Credentials service which will make use of digital watermarking metadata for images and videos. Through Content Credentials, campaigns can assert the originality of an image or video, while also protecting against tampering by showing if it has been altered after its credentials were created. This service is set to be rolled out in spring of 2024. In addition to watermarking, Microsoft will also form a "Campaign Success Team" to advise political campaigns on AI and cyber influence, create an Election Communications Hub for election authorities, and collaborate with organizations that label news sources as authoritative. Meta's strategy is focused on advertising. They will require advertisers to disclose if a social issue, electoral, or political ad contains a digitally created or altered photorealistic image or video, or realistic sounding audio. Meta's new policy will take effect in 2024 and apply globally. Non-compliance with the new policy could result in the rejection of ads. While Microsoft has not detailed how it will police misinformation spread via its platforms, Meta plans to rely on "independent fact-checking partners" to review content.

Security and data analytics firm, Sumo Logic, experienced a security breach after its Amazon Web Services (AWS) account was compromised through stolen credentials. The company claims its systems and networks were not affected and customer data remained encrypted throughout the incident. Post the breach, the company locked down the accessible infrastructure and swapped potentially exposed credentials to avoid further breach. Sumo Logic has intensified monitoring and addressed potential vulnerabilities to forestall similar incidents in the future. The company has urged its customers to rotate the credentials used to access its services as a preventive measure. Sumo Logic will notify customers directly if evidence of malicious access to their accounts is found. The firm’s clientele includes major tech corporations like Samsung, Okta, SAP, Airbnb, and Toyota among others.

Two weeks ago, Russian state-owned Sberbank reported facing the largest Distributed Denial of Service (DDoS) attack in its history at a scale of one million requests per second (RPS). Sberbank, holding nearly one-third of all Russian assets, stated that the DDoS attack was approximately four times the size of any they had previously experienced. The bank asserts the attack was conducted by "new, very qualified criminals" whose methods and techniques were unfamiliar to them, indicating this may not have been the work of typical hacktivist groups. While significant, this attack does not match some of the most massive DDoS attacks seen recently, where new techniques are being used to generate a hundred times more impact, peaking at rates such as 398 million RPS for Google and 155 million RPS for Amazon. Sberbank previously reported facing large-scale DDoS attacks focussed on its online customer services in May 2022, successfully fending off a 450GB/sec attack generated by a botnet of 27,000 compromised devices. Another recent cyber incident saw Russia’s National Payment Card System's website compromised, but the organization asserted that no sensitive customer data was available on the website and the attack did not affect the payments system.