Daily Brief

QNAP Systems issued advisories around two critical command injection vulnerabilities that are present in multiple versions of the QTS operating system and associated apps on its network-attached storage (NAS) devices. The first vulnerability, tracked as CVE-2023-23368, has a critical severity rating of 9.8 out of 10 and is exploitable by remote attackers. Affected versions are QTS 5.0.x and 4.5.x, QuTS hero h5.0.x and h4.5.x, and QuTScloud c5.0.1. The second flaw, identified as CVE-2023-23369, is rated with lower criticality (9.0) and can be leveraged to similar effect by remote attackers. Impacted versions are QTS 5.1.x, 4.3.6, 4.3.4, 4.3.3, and 4.2.x, plus the Multimedia Console 2.1.x and 1.4.x, and the Media Streaming add-on 500.1.x and 500.0.x. Remediation for both of these vulnerabilities is available and involves updating the QTS, QuTS hero and QuTScloud systems. Instructions have also been provided for updating the Multimedia Console and the Media Streaming add-on. QNAP advised users to apply the patches swiftly due to the potential severity of the flaws NAS devices are typically used to store data, hence these vulnerabilities could potentially allow cybercriminals to steal or encrypt sensitive data. QNAP has been targeted in the past by ransomware attacks, notably by the Deadbolt ransomware gang.

A new dropper-as-a-Service (DaaS) operation named 'SecuriDropper' bypasses the 'Restricted Settings' feature in Android, allowing it to install malware on devices and obtain access to Accessibility Services. The operation uses Android 13's Restricted Settings feature, which typically prevents non-Google Play applications from accessing features such as Accessibility settings and Notification Listener. However, SecuriDropper bypasses this with a session-based installation API for malicious Android package files. This tactic sidesteps the Restricted Settings, avoiding the 'Restricted setting' dialog that prevents malware access to dangerous permissions. This security issue is reported to be present in Android 14. SecuriDropper poses as legitimate apps, such as a Google app, Android update, video player, or game, then installs malware by securing access to necessary permissions and tricking users into installing a second-stage payload with deceitful interface manipulation. Cybersecurity firm ThreatFabric noted instances of SecuriDropper distributing SpyNote malware and banking trojans. The company also reported a resurgence of Zombinder, another DaaS operation that uses a similar method to bypass Restricted Settings, gluing malicious payloads to legitimate apps to infect devices. Google has not provided a comment or solution about this recurring problem at the time of this report. Android users are advised to avoid downloading APK files from obscure sources and regularly review and revoke app permissions as necessary.

The rise of cybersecurity threats like ransomware and breach via third-party insecure connections can severely impact operational resilience, particularly in the field of operational technology (OT) systems such as those in manufacturing. These types of threats have reportedly increased since the onset of the COVID-19 pandemic. Industrial control systems (ICS) must be secured from potential risks and vulnerabilities introduced by always-on connectivity. In order to remain secure and compliant, visibility of assets and vulnerabilities across broader networks is necessary, along with automated threat detection techniques. Britvic, a soft drinks company, managed to overcome security challenges that threatened its systems. The company's Senior Manager for OT Compliance & Cyber Security, David Cox, will share insights on best practices in a webinar set for 8 November. This upcoming webinar, which aims to discuss evolution of threats to OT security and maintaining effective security practices, is intended to strengthen operational resilience among corporations and organizations.

Iranian hacker group Agonizing Serpens, also known as Agrius, BlackShadow, and Pink Sandstorm, has been carrying out a series of cyber attacks on Israel's higher education and tech sectors since January 2023. The attacks aim to steal sensitive data such as personally identifiable information (PII) and intellectual property; once the information is stolen, the attackers deploy various wiper malware to cover their tracks and render the infected endpoints unusable. Three new types of wipers MultiLayer, PartialWasher, and BFG Agonizer were used, as well as a tool called Sqlextractor, used to extract information from database servers. Agonizing Serpens, active since at least December 2020, has been linked to previous attacks on Israeli entities using a ransomware strain called Moneybird. The recent attacks have weaponized vulnerable internet-facing web servers, deploying web shells and stealing user access credentials for further internal network exploration. The attackers use a mix of public and custom tools like Sqlextractor, WinSCP, and PuTTY to exfiltrate data and deliver wiper malware. Agonizing Serpens has recently upgraded their capabilities and invested resources to attempt to bypass Endpoint Detection and Response (EDR) and other security measures, often rotating between different known proof-of-concept (PoC) and penetration testing tools, as well as custom tools.

Google has issued a warning regarding threat actors using its Calendar service as a covert Command-and-Control (C2) cybersecurity infrastructure. The public proof-of-concept (PoC) exploit, named Google Calendar RAT (GCR), operates through Google Calendar events using a Gmail account and was first published on GitHub In June 2023. While Google has not yet detected the tool being utilized in real-world cybercrimes, its Mandiant threat intelligence unit has observed PoC sharing in underground online forums. Operating purely on legitimate infrastructure, this novel exploit is difficult for defenders to detect due to its ability to blend with standard user activity. Highlighting the exploitation of cloud services to infiltrate and compromise system environments, Google also flagged an Iranian nation-state actor utilizing macro-laced documents and a small .NET backdoor codename BANANAMAIL for malicious purposes. Google's Threat Analysis Group has since moved to disable attacker-controlled Gmail accounts that were being leveraged by the malware.

The U.S Treasury has imposed sanctions on Ekaterina Zhdanova, a Russian woman accused of laundering virtual currency for Russian elites and cybercriminal groups, including the Ryuk ransomware group. Zhdanova reportedly facilitated large cross border transactions, enabling Russian individuals to gain access to Western financial markets and to circumvent international sanctions. The transactions were reportedly facilitated through entities lacking Anti-Money Laundering and Combatting the Financing of Terrorism controls, such as the OFAC-designated Russian cryptocurrency exchange Garantex. Garantex was previously sanctioned by the U.S in April 2022, coincidence to the takedown of the Hydra dark web marketplace. Zhdanova stands accused of laundering over $2.3 million of suspected victim payments on behalf of a Ryuk ransomware affiliate in 2021. A record 514 ransomware victims were reported in September 2023, marking a 153% increase year-on-year. The surge in ransomware attacks has led to the formation of the International Counter Ransomware Initiative, an alliance of 50 countries pledged not to pay any ransom demands in an attempt to deter financially motivated actors and ransomware gangs.

A proxy botnet coined 'Socks5Systemz' has infected approximately 10,000 systems internationally via malware loaders 'PrivateLoader' and 'Amadey'. This malware converts the infected computers into traffic-forwarding proxies for malevolent or anonymous traffic. BitSight detailed the Socks5Systemz bot in a report, revealing that the botnet has been active since at least 2016 but has recently increased in prevalence. The payload of the proxy bot is a 300 KB 32-bit DLL, and it relies on a domain generation algorithm (DGA) system to communicate with its command and control (C2) server, sending profiling information about the infected system. BitSight discovered an extensive control infrastructure of servers primarily situated in Europe, which help to distribute the botnet. 10,000 separate communication attempts with these servers have been recorded since October 2021, which indicates an estimable number of victims. Affected countries are globally distributed, but most infections have been found in India, the United States, Brazil, Colombia, South Africa, Argentina, and Nigeria. The proxying services provided by Socks5Systemz are sold through 'Standard' and 'VIP' subscriptions, with customers paying anonymously via crypto gateway 'Cryptomus'. These illicit residential proxy botnets have a significant influence on internet security and unauthorized bandwidth hijacking, and their services are widely used for shopping bots and bypassing geographic restrictions, elevating their popularity.

Discord plans to implement temporary CDN links by the end of the year to hinder the use of its network for malware distribution. The approach will enhance user safety and restrict access to flagged content. After the implementation, links to files uploaded on Discord servers will expire after 24 hours, effectively reducing Discord's CDN as a permanent file hosting platform. Three new parameters—expiration timestamps and unique signatures—will be added to CDN URLs, remaining valid until the links expire. Post link expiry, apps will need to fetch a new CDN URL. The API will automatically return valid, unexpired URLs when attempting to access resources containing an attachment CDN URL. This change is seen as a significant step towards addressing cybercrime activities on the platform. Discord servers have often been used for illegal activities by financially motivated and state-backed hacking groups. Discord's permanent file hosting capabilities have been exploited to distribute malware and data gathered from compromised systems using webhooks. Cybersecurity firm Trellix reports that Discord CDN URLs have been used in around 10,000 malware operations.

Apple's "Find My" service, which locates lost or stolen devices using GPS and Bluetooth data from millions of Apple devices worldwide, can be exploited to stealthily transmit sensitive keylogged information. This potential abuse was first discovered by Positive Security researchers two years ago, who have also created a proof-of-concept device to demonstrate this risk. Researchers integrated a keylogger with an ESP32 Bluetooth transmitter into a keyboard, illustrating that passwords and other data typed on the keyboard can be forwarded via the Find My network through Bluetooth. The keylogger functions without the need for an AirTag or supported chip because Apple devices are designed to respond to any formatted Bluetooth message. If properly formatted, that message prompts the receiving Apple device to create a location report and upload it to the Find My network. While the transmission and reception rates aren't fast, researchers note it wouldn't pose an issue for malicious actors aiming to recover valuable information such as passwords. Apple's anti-tracking protections, which alerts users of tracking Air Tags, do not detect this form of breach, allowing the device to remain concealed. Apple has not responded to this issue at the time of the report.

Russian cybersecurity company, Kaspersky, discovered a crypto-mining malware strain named "StripedFly," which they say infected at least a million devices worldwide while going undetected for over five years. The malware, initially detected in 2017, uses a custom EternalBlue SMBv1 exploit thought to be linked to the Equation Group to infiltrate publicly-accessible systems. Besides the mining application, its features include the ability to collect sensitive data, execute Powershell scripts, disable the SMBv1 protocol on infected hosts, and propagate to other systems through a worming module. StripedFly can also execute a variety of spy activities, such as recording microphone input, capturing screenshots, and gathering user credentials every two hours. The malware communicates with its command-and-control (C2) server using an undisclosed, customized version of a TOR client and uses code repositories as fallback mechanisms for downloading updates if the C2 server becomes unresponsive. Researchers suggest the malware is an advanced persistent threat (APT), with its coding style and certain features resembling something created by the Equation Group.? Despite its extensive capabilities, the true purpose of StripedFly and its origins remain unknown, leading researchers to question the trivial usage of such sophisticated malware.

Natalie Mottram, a former intelligence analyst for the North West Regional Organised Crime Unit, has been sentenced to nearly four years in prison for warning a friend about a breach in the EncroChat encrypted messaging network. She was convicted of misconduct in public office, perverting the course of justice, and unauthorised access to computer material. Mottram was apprehended as part of Operation Venetic, an effort by UK's National Crime Agency (NCA) to disrupt EncroChat, an encrypted messaging service popular among criminals. After discovering the breach in 2020, police in France and the Netherlands infiltrated the network, seizing conversations to make arrests across Britain. To date, over 3,147 suspects have been arrested and 1,240 convicted, based on evidence obtained from EncroChat. Mottram tipped off Jonathan Kay, 39, that his EncroChat conversations were being monitored. Following her alert, Kay's acquaintance warned other EncroChat users about the surveillance, leading to police suspecting a leak. Operation Venetic has also prompted lawsuits arguing that the mass surveillance of the chat network is a breach of European and UK laws and questions legality of the obtained evidence. Kay, who admitted to perverting the course of justice, was sentenced to 30 months in prison.

Okta, an identity and authentication management provider, announced that 134 of its 18,400 customers were affected by a recent customer support system breach. The breach occurred from September 28 to October 17, 2023. The intruder gained unauthorized access through a stolen credential that enabled access to Okta's customer support case management system. The compromised account had the ability to view and update customer support cases. Among the customers affected by session hijacking were 1Password, BeyondTrust, and Cloudflare. The intruders used session tokens to hijack the legitimate sessions of five customers. Okta revealed that the stolen service account credentials were stored in an employee's personal Google account, which was accessed via Chrome on an Okta-managed laptop. It is believed that the exposure likely occurred through the employee's personal Google account or device. Following the breach, Okta revoked the hijacked session tokens, disabled the compromised service account, and blocked the use of personal Google accounts on Okta-managed laptops. It has also enhanced product security with session token binding based on network location, requiring re-authentication upon detection of a network change. The incident comes shortly after Okta disclosed that personal information of 4,961 current and former employees was exposed in a breach of its healthcare coverage vendor, Rightway Healthcare, on September 23, 2023. This compromised data included names, Social Security numbers, and medical insurance information.

Google is introducing an "Independent security review" badge on the Play Store's Data safety section for Android apps that have successfully undergone a Mobile Application Security Assessment (MASA) audit. Initially launched with VPN apps due to their sensitive data handling nature, the security audit will provide more transparency to users about an app's security standards before they download it. MASA allows developers to independently validate their apps against global security standards such as Mobile Application Security Verification Standard (MASVS). By participating in the security evaluation process, developers will get a chance to flag potential security issues in their apps and remediate them. On fulfilling all requirements, a security badge will appear on their data safety form. Google's move forms part of its broader goal to create a unified view of app safety, providing details about what data is being collected by the app, its intended use and whether it is shared with third parties. However, Google cautions that attaining a validation to baseline security standards does not necessarily mean an app is free from vulnerabilities.

Ransomware attacks have been escalating recently with different institutions across several countries reported to have been victimized by different gangs; these institutions include the Toronto Public Library, ACE Hardware and the British Library. The Black Basta ransomware gang was specifically identified as the attacker of the Toronto Public Library. An impending alliance of 40 countries will sign a pledge at the upcoming International Counter-Ransomware Initiative in Washington, D.C. Despite this pledge, it does not prevent local governments from adhering to ransom demands. Seeing the rise in cybersecurity threats, Microsoft plans to boost its security as part of its new 'Secure Future' initiative, aiming to improve security inherent to its products and platforms. In terms of new and returning threats, research has indicated that Hive ransomware may be making a comeback, possibly under a new name, Hunters International. Other new threats include a Linux-targeting malware wiper named BiBi-Linux and new variants of the STOP ransomware. Notably, the Daixin Team has claimed culpability for an attack that has majorly impacted five Canadian hospitals.

Hilb Group, a financial business handling property, casualty, and employee benefits insurance and advisory services, has alerted over 81,000 individuals of a potential data breach. The breach was detected following "suspicious activity" associated with employee email accounts around January 10. An investigation revealed the accounts had been accessed by unauthorized individuals between December 1, 2022 and January 12, 2023. Potentially stolen data includes individuals' first and last names, in addition to sensitive financial data and credentials, including social security numbers and credit or debit card details (along with associated security codes, passwords, or PINs). Following discovery of the breach, Hilb secured compromised accounts, initiated a thorough investigation, and put in place additional technical protections to increase data security and prevent future incidents. Affected individuals have been informed of the breach as of October 9. To mitigate the breach's impact, Hilb is offering free credit monitoring and identity protection services to those affected.