Daily Brief

Ransomware groups are actively exploiting flaws in Atlassian Confluence and Apache ActiveMQ, resulting in increased cybersecurity threats. Cybersecurity firm Rapid7 identified the exploitation of two vulnerabilities, CVE-2023-22518 and CVE-2023-22515, which are being used to deploy Cerber (C3RB3R) ransomware. The severity level of these faults has escalated, with Atlassian revising its CVSS score from 9.8 to 10.0 to reflect the increased threat level. Attackers have been found to exploit these weaknesses in internet-facing Atlassian Confluence servers to fetch a malicious payload hosted on a remote server. The exploitation attempts originate from IP addresses located in France, Hong Kong, and Russia according to data from GreyNoise. Artic Wolf Labs disclosed that a flaw in Apache ActiveMQ (CVE-2023-46604) is being weaponized to deliver a Go-based remote access trojan named SparkRAT, as well as a ransomware variant similar to TellYouThePass.

Veeam has rolled out security updates to tackle four weaknesses found in its ONE IT monitoring and analytics platform, with two being seen as critical. The vulnerabilities affect versions 11, 11a, and 12 of Veeam ONE, but CVE-2023-38548 is specific to version 12. Over the past few months, threat groups such as FIN7 and BlackCat ransomware have leveraged significant flaws in Veeam's backup software to deliver malware. To prevent potential exploitation, users with affected versions of Veeam ONE are advised to halt the Monitoring and Reporting services, replace current files with those provided in the hotfix, and then restart these services.

Zandra Ellis aged 34, from New Orleans, sentenced to 18 months imprisonment, followed by three years of supervised release after attempting to hire a hitman using a parody website. She was also ordered to pay a special assessment fee of $100. Ellis attempted to hire the supposed assassin by submitting a request to Rentahitman.com using a pseudonym. The website's true purpose was not clear to Ellis; originally, the website linked to the FBI's Internet Crime Complaint Center. Following receipt of Ellis's request, the website’s webmaster contacted the FBI and an agent performed a sting operation, ultimately arresting Ellis. Ellis was found to be in possession of a Ruger 308 pistol with live rounds at the time of her arrest.

US Department of Homeland Security's Office of the Inspector General (OIG) conducted an audit between April 27 and August 17, spotlighting alleged mismanagement in mobile device security by Immigration and Customs Enforcement (ICE). The audit revealed "urgent issues", identifying "thousands" of seemingly dubious apps installed on ICE-managed devices by employees, contractors and other staff from the Department of Homeland Security. These applications reportedly pose a threat to ICE operations, personnel and homeland security as a whole, potentially enabling collection and monitoring of user and device information. ICE was said to have not kept an eye on these third-party applications as they were considered personal but existed on agency devices. However, an ICE representative disputed the claims, asserting there was no evidence of any malicious activity on the devices or any data breach. The spokesperson also confirmed immediate steps were taken in June to rectify all vulnerabilities, and ICE enjoyed full visibility on third-party applications' activities on their devices at all times. ICE has reportedly started implementing some of the auditors' recommendations, including blocking prohibited apps, vulnerable messaging applications, and VPN applications, in efforts to improve device security.

Veeam, an IT infrastructure monitoring and analytics platform, has released hotfixes to address four vulnerabilities, two of which are considered critical. The two critical vulnerabilities have received severity ratings of 9.8 and 9.9/10 CVSS base scores, allowing attackers to carry out remote code execution (RCE) and steal NTLM hashes from vulnerable servers. One bug allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database, potentially leading to remote code execution on the SQL server hosting the Veeam ONE configuration database. The second critical vulnerability allows an unprivileged user with access to the Veeam ONE Web Client to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service. The other two medium-severity bugs require user interaction or have limited impact. One could let attackers with Power User roles steal the access token of an admin in a Cross-Site Scripting (XSS) attack. All the identified vulnerabilities impact actively supported Veeam ONE versions up to the latest release. The company has issued hotfixes to patch them. The vulnerabilities come in the wake of Veeam fixing a high-severity backup service vulnerability in March that has since been linked to multiple ransomware operations.

Operators of Kinsing malware, notorious for breaching cloud-based systems, exploited a Linux security issue known as "Looney Tunables" to infiltrate systems and steal cloud credentials. Firstly, they latch onto a vulnerability in the PHPUnit PHP testing framework to gain initial access before escalating privileges using 'Looney Tunables'. Unlike standard procedure, Kinsing tested this attack manually, revealing a possible shift in operation strategy from automated to manual testing to ensure success before scripting exploitation. Post exploit, the cyber threat group downloads a script and a PHP script, which leads to the deployment of a JavaScript web shell backdoor supporting subsequent attack phases, such as command execution, file management, data collection, and encryption/decryption functions. The cybercriminals showed an interest in accessing Cloud Service Provider (CSP) credentials, aiming specifically at AWS instance identity data. This tactic signifies a major shift towards more sophisticated activities for Kinsing and is thought to be an experimental campaign with an expanded scope collecting CSP credentials.

Microsoft will soon implement Conditional Access policies necessitating multifactor authentication (MFA) for administrators signing into admin portals such as Microsoft Entra, Microsoft 365, Exchange and Azure. The company will introduce MFA requirements for per-user access to all cloud apps and for high-risk sign-ins, though the latter will only be available to Microsoft Entra ID Premium Plan 2 customers. These policies will initially be introduced in report-only mode before being automatically enabled on tenants after a 90-day review and opt-out period. Microsoft Vice President for Identity Security Alex Weinert encourages MFA protection for all user access due to its effectiveness in reducing account takeover risks. Admins will be able to modify the state of all Microsoft-managed policies and exclude particular identities, and plans to combine machine learning-based policy insights with automated policy rollout are being discussed.

A critical severity flaw in Atlassian Confluence’s systems, referred to as CVE-2023-22518, has been exploited to encrypt victims' files using Cerber ransomware. This improper authorization vulnerability affects all versions of Confluence Data Center and Confluence Server software. Atlassian released security updates and told users to patch because the flaw could be used to wipe data. Atlassian subsequently divulged a proof-of-concept exploit was available online and recommended backing up systems and blocking Internet access to unpatched servers until they were secure. Threat monitoring service, ShadowServer, reported over 24,000 Confluence instances exposed online but there was no means of establishing how many were vulnerable to CVE-2023-22518 attacks. Atlassian updated its advisory, revealing threat actors were targeting the flaw following the release of the PoC exploit. Rapid7, a cybersecurity firm, has confirmed the widespread exploitation of Atlassian Confluence servers using the CVE-2023-22518 auth bypass as well as another critical privilege escalation, CVE-2023-22515, previously exploited as a zero-day. This action is leading to ransomware deployment. Cerber ransomware was also used in attacks targeting Atlassian Confluence servers two years ago using a remote code execution vulnerability, CVE-2021-26084, previously exploited to install crypto-miners.

An upgraded version of Jupyter Infostealer malware has emerged, implementing "simple yet impactful changes" to create a persistent presence on compromised systems stealthily. The information-stealing malware, also known as Polazert, SolarMarker, and Yellow Cockatoo, has traditionally used manipulated search engine optimization (SEO) tactics and malvertising as the initial access vector. The latest version leverages various certificates to sign the malware to lend them a veneer of legitimacy and employs PowerShell to connect to a remote server to ultimately decode and launch the stealer malware. Other examples of updated malware include Lumma Stealer and Mystic Stealer, both of which now incorporate a loader and have the ability to generate a build for improved obfuscation. These malware updates make them more versatile, capable of loading second-stage attacks on their victims, including ransomware. The report also highlights developments of malware loaders such as PrivateLoader and Amadey, which have been noticed infecting devices with a proxy botnet known as Socks5Systemz. Such malware loaders further exemplify the continually evolving nature of malware, as they enable data theft via stealers and remote access trojans. It is estimated that this botnet has approximately 10,000 infected systems with victims spread across the globe.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned a Russian national, Ekaterina Zhdanova, who is accused of laundering millions in cryptocurrency for different individuals, including ransomware actors. According to OFAC, Zhdanova used her knowledge of cryptocurrency and blockchain networks to evade Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) controls. Zhdanova is believed to have laundered over $2.3 million in suspected ransom payments for an affiliate of the Ryuk ransomware operation. The method used involved fraudulently opened investment accounts and real estate purchases to obscure the illegal origin of the funds. Zhdanova also used a global network of money launderers to hide her financial activities. Aside from ransomware, she allegedly assisted Russian oligarchs in evading sanctions in the wake of Russia's invasion of Ukraine. As a result of the sanctions, all of Zhdanova's U.S.-based assets will be frozen, and U.S. entities will be banned from conducting any transactions with her.

Taiwanese firm QNAP has issued security updates to rectify two significant flaws in its operating system that could result in arbitrary code execution. The most critical vulnerability, tracked as CVE-2023-23368 with a CVSS severity score of 9.8, is a command injection vulnerability affecting QTS, QuTS hero, and QuTScloud. If exploited, the vulnerability could allow remote hackers to execute commands via a network connection. QNAP also addressed a similar command injection flaw (CVE-2023-23369, CVSS score: 9.0) in QTS, Multimedia Console, and Media Streaming add-on that could offer the same exploit route. The issue was publicized in an advisory, urging users operating affected versions of the software to update to mitigate potential threats. This security measure follows an announcement several weeks ago where QNAP reported taking down a malicious server used majorly for brute-force attacks against NAS devices with weak passwords.

The US Department of the Treasury's Office of Foreign Assets Control (OFAC) has sanctioned Ekaterina Zhdanova, a Russian woman accused of laundering money for oligarchs and ransomware criminals, including Ryuk ransomware affiliates. Zhdanova allegedly laundered over $2.3 million in ransom payments in 2021. Seven members of the Wizard Spider group, linked with Ryuk, Conti, and Trickbot ransomware operations, were sanctioned earlier this year. Methods used by Zhdanova to move funds included cryptocurrency exchanges without anti-money laundering controls, like the Russian Garantex platform, international money launderers, cash, and traditional businesses. Zhdanova has reportedly moved funds for Russia's elite, including one instance of transferring over $100 million to the United Arab Emirates for an oligarch. Meanwhile, she ran a UAE tax residency service for high-paying clients and might have helped to conceal their identities. The imposition of sanctions is a part of the US's efforts to undermine Russia's economy and its ability to finance war, following the invasion of Ukraine. Over 2,500 Russia-linked individuals and entities have been added to the OFAC's SDN list since then. Despite it being illegal to pay ransom to sanctioned groups, 41% of victims still pay up, according to Astra Security. Meanwhile, Chainalysis also revealed that ransomware criminals had already extorted at least $449.1 million from victims by June 2023, likely destined to be the second-most lucrative year for such criminals.

Cybersecurity companies ArcticWolf and Huntress Labs report that a critical remote code execution (RCE) flaw in Apache ActiveMQ servers is being exploited over the last two weeks by attackers to deploy SparkRAT malware. This flaw, known as CVE-2023-46604, is a maximum severity bug affecting the ActiveMQ open-source message broker, enabling unauthenticated actors to execute arbitrary commands on vulnerable servers. More than 4,770 Apache ActiveMQ servers out of over 9,200 exposed online, are currently vulnerable to CVE-2023-46604 exploits. Apache has released security updates to fix this vulnerability which system admins are strongly advised to apply immediately. Attackers have been exploiting this bug to deploy both HelloKitty and TellYouThePass ransomware payloads on networks, with similarities noted between the two different campaigns. The resurgence of TellYouThePass ransomware, which has expanded its targeting capabilities to include Linux and macOS systems, underscores the need for rapid resolution of this vulnerability.

A new dropper-as-a-service (DaaS) for Android called SecuriDropper bypasses Google's latest security restrictions and delivers malware. The dropper malware on Android serves as a conduit to install a payload onto compromised devices, making it a profitable business model for threat actors who can advertise its capabilities to other criminal groups. The DaaS targets Google's Android 13 Restricted Settings that are designed to prevent sideloaded applications from obtaining Accessibility and Notification Listener permissions, which are often abused by banking trojans. The dropper often appears as an innocuous app, providing a workaround to Android's security measures by requesting read and write data permissions to external storage and install/delete packages. ThreatFabric, the Dutch cybersecurity firm which revealed SecuriDropper, reported that Android banking Trojans, such as SpyNote and ERMAC, were being distributed by the DaaS via deceptive websites and third-party platforms, including Discord. Another similar tool using the Restricted Settings bypass being offered as a dropper service is Zombinder, which was believed to have been shutdown earlier this year. The connection between these two tools is yet unclear and as Google ramps up security measures with each Android iteration, cybercriminals continue to adapt and innovate, with DaaS platforms becoming increasingly potent tools.

Cloud services provider Okta confirmed its October cyber attack affected 134 companies, less than 1% of its customers. The firm clarified that the breach occurred due to an insider mishap wherein an employee’s personal Google profile was compromised. Among the victims were password management solution 1Password, cybersecurity firm Cloudflare, and software company BeyondTrust. The hackers gained access to HTTP Archive (HAR) files, which contain cached web session data and cookies that can be used to impersonate valid users. Okta also noted an unrelated third-party breach that exposed nearly 5,000 current and former employees' records. Meanwhile, Texas-based mortgage and loan company Mr Cooper remains largely offline after an unexplained cybersecurity incident, while Cisco released multiple security updates, including one critical patch for its Firepower Management Center. The fourth version of the Common Vulnerability Scoring System (CVSS) has also been introduced.