Daily Brief

Facebook business accounts are being used to run false advertisements with the intention of causing victims to download an updated NodeStealer malware. This functions by stealing passwords and browser cookies from the user. Meta first disclosed this JavaScript malware in May 2023, claiming that it was used to takeover Facebook accounts. However, the current threat comes from a Python-based NodeStealer variant. Bitdefender's report says the malicious campaign is focused on male Facebook users aged between 18 to 65 from Europe, Africa, and the Caribbean, with males above 45 being the most affected. The attackers' ultimate goal is to use the stolen cookies to bypass security mechanisms such as two-factor authentication, allowing them to change passwords and lock victims out of their accounts. This hacking strategy enables cybercriminals to avoid detection by Meta's security defences, allowing them to either steal money or scam new victims through the hijacked accounts. Additional account takeover attacks, including the 'Capra' operation on betting platforms and scams targeting Roblox gaming users, have been noted. These scams primarily aim to phish for victims' credentials. Also reported was a two-year-long data harvesting campaign in the Middle East that used about 3,500 fake real estate domains to collate information about buyers and sellers, before selling this data on underground forums.

AI and machine learning play crucial roles in cybersecurity, with the adaptive nature of these technologies aiding in real-time detection and prevention of sophisticated cyber threats that are evolving at an accelerated pace. BlackBerry, with a robust patent portfolio in AI and ML, has emerged as a leading entity in the cybersecurity space, primarily due to its emphasis on enhancing the performance of predictive AI tools. Recent independent tests showed that BlackBerry's Cylance ENDPOINT® successfully blocks 98.9% of threats by proactively predicting malware behavior, even in new variants, bolstering the company's preventive approach. The effectiveness of machine learning models is strongly related to their ability to detect and respond to threats in real-time. In this context, Temporal Predictive Advantage (TPA) is a key metric evaluating a model's long-term performance. BlackBerry's Cylance model showcases a commendable temporal predictive advantage, maintaining high detection rates even without frequent model updates for up to 18 months. The company's latest AI model, built on vast, varied datasets with extensive malware behavior insights, has outperformed all previous versions, particularly regarding temporal predictive advantage and speed for distributed inference. BlackBerry's Cylance AI has reportedly helped customers halt 36% more malware, 12 times faster and with 20 times less overhead than competitors, highlighting the efficacy of utilizing AI in predictive cyber threat detection and prevention.

The Information Commissioner's Office (ICO), UK's data regulator, fined three companies for sending unsolicited marketing text messages to people registered with the Telephone Preference Service (TPS). Digivo Media Ltd, trading as Rid My Debt, was fined £50,000 ($61,110) for sending 415,000 texts over a period of five and a half months ending in September 2021. MCP Online faced a penalty of £55,000 ($67,221) for making an unspecified number of unsolicited financial services calls about pensions. Argentum Data Solutions (ADS), a data processing and hosting provider, was handed the biggest fine of £65,000 ($79,443). The company had sent and allowed third parties to send over 2.3 million direct marketing texts. The ICO issued 34 fines in 2022, primarily for breaking electronic marketing rules, with fines bringing in £16 million ($19.5 million) to the Treasury. The head of investigations at the ICO, Andy Curry, stated that these companies use predatory marketing communications to target people who may be most at risk of harm.

Cybersecurity researchers have discovered a spyware, called 'CanesSpy', integrated within modified versions of the WhatsApp Android application. The fraudulent versions of WhatsApp are predominantly circulated through untrustworthy websites and Telegram channels, with most users being Arabic and Azerbaijani speakers. CanesSpy activates when a victim's phone is turned on or starts charging, subsequently dispatching device information, including IMEI, phone number, mobile country code and mobile network code to a command-and-control (C2) server. CanesSpy, believed to be developed by an Arabic speaker, also relays the victim's contact and account details every five minutes and can transmit a range of data from a victim's device on command by the C2 server. Researchers believe the spyware has been active since mid-August 2023, primarily targeting users in Saudi Arabia, Yemen, Turkey, Egypt, and Azerbaijan. The discovery highlights the ongoing exploitation of altered versions of messaging apps to distribute malware to unwary users. Users are prompted to be cautious while downloading apps from third-party platforms due to their inadequate screening processes and failure to remove malware-laden applications.

A total of 48 malicious npm packages, which can deploy a reverse shell on compromised systems, were discovered in the npm repository. The illegitimate packages contained obfuscated JavaScript designed to implement a reverse shell upon installation of the package. These malicious packages were published by an npm user named hktalent. As of report, there are still 39 packages that are available for download. The attack is triggered after the installation of the package through an install hook in the package.json that calls a JavaScript code which establishes a reverse shell. These findings closely follow reports revealing two packages published to the Python Package Index (PyPI) contained malicious code designed to illicitly garner Telegram Desktop application data and system information. The scenarios highlight the increasing threat actor interest in open-source environments, resulting in impactful supply chain attacks that can target several downstream customers simultaneously. The malicious npm packages utilized several obfuscation techniques to avoid detection through static analysis or visual inspection.

Founder and former CEO of the crypto exchange, FTX, Sam Bankman-Fried, has been found guilty of seven criminal charges relating to corporate malfeasance and fraud. The verdicts were reached in just four hours. This verdict follows the bankruptcy of FTX in November 2022, which once had a valuation of $32 billion. Investigations revealed a failure of corporate controls within FTX and a connected trading firm, Alameda Research. Charges arose from evidence that FTX had shifted its funds to Alameda, making financial losses which left investors unable to access their own funds. The mismanagement led to the collapse of the exchange. Bankman-Fried was quickly extradited from the Bahamas to face several lawsuits, including a case alleging stakeholder fraud of up to $10 billion. This case culminated in the criminal convictions. A key witness was Bankman-Fried's former partner, Caroline Ellison, who testified that he directed her to move funds from FTX to Alameda. The combined maximum sentences for the charges could total 110 years imprisonment. Sentencing is set for March 28, 2024, but it is expected that Bankman-Fried will appeal. Aside from this case, Bankman-Fried faces several other cases expected to run over a number of years, putting FTX in the spotlight as a key example of corporate incompetency within the crypto industry.

Atlassian is urging administrators to patch a critical Confluence security flaw that could be exploited in data destruction attacks on Internet-exposed and unpatched instances. The flaw, tracked as CVE-2023-22518, is an improper authorization vulnerability with a severity rating of 9.1/10, affecting all Confluence Data Center and Server software versions. While there have been no reports of active exploits, Atlassian found a publicly available exploit for the vulnerability, heightening the risk for publicly accessible instances. The exploit can be used to wipe data on the impacted servers, but not to steal data. Atlassian Cloud sites accessed through an atlassian.net domain are not at risk. In addition to suggesting immediate upgrades, Atlassian provided a set of potential mitigation actions for those who cannot immediately patch their Confluence instances; however, these are not considered long-term solutions and patching remains crucial. Last month, multiple government agencies and Microsoft warned about an actively exploited privilege escalation flaw in Atlassian Confluence servers, which has been used as a zero-day by a Chinese-linked threat group since September 2023. Given their wide use, securing Confluence servers is critical in preventing ransomware, Linux botnet malware, and crypto miners attacks.

Ace Hardware, a prominent retailer-owned hardware store cooperative with over 5,700 shops globally, confirmed facing a major cyberattack that crippled its IT systems. The attack has severely disrupted key operating systems including ACENET, Warehouse Management Systems, the Ace Retailer Mobile Assistant, Hot Sheets, Invoices, Ace Rewards, and the Care Center's phone system. The company’s order processing systems are also affected, preventing stores and customers from placing new orders while the company does not yet have a timeline for restoration. Ace Hardware's president and CEO, John Venhuizen stated that 1,202 devices including 196 servers were impacted, but as of the recent update, 51% of the servers have been restored. While the company is working towards restoration, it has warned its retailers of threat actors attempting to exploit the situation through phishing emails and calls, asking them to redirect payments or hand over account credentials. At this stage, the full extent of the cyberattack, including the possibility of data theft, is uncertain.

A newly discovered macOS malware named 'KandyKorn' is being attributed to the North Korean Lazarus Group. The malware targets engineers in the cryptocurrency sector. The attackers impersonate cryptocurrency community members on Discord channels to distribute Python-based modules that initiate the KandyKorn infection process. Elastic Security identified the similarity of the attacks to previous Lazarus campaigns based on the methodologies employed, network infrastructures, code-signing certificates, and custom detection rules used by Lazarus. The malware's operating process involves a series of multi-stage downloads and payloads before it finally establishes a connection with a command and control (C2) server and loads KandyKorn malware. KandyKorn malware has multiple capabilities including data retrieval, directory listing, file upload/download, secure deletion, process termination, and command execution, all functions that make it particularly stealthy and dangerous. It is important to note that while Lazarus primarily targets the cryptocurrency sector out of financial motivation, KandyKorn's existence attests to the group's ability to craft sophisticated and well-concealed malware specifically designed for Apple computers.

The BlackCat ransomware gang claimed they breached the network of healthcare giant Henry Schein, stealing dozens of terabytes of data, including payroll and shareholder information. The company had earlier disclosed that it took some systems offline to mitigate a cyberattack that impacted its manufacturing and distribution businesses. Some of Henry Schein's business operations were disrupted due to the attack, but its practice management software "Henry Schein One" was unaffected. Law enforcement authorities have been informed of the incident and external cybersecurity and forensics experts have been hired to investigate. Following their disclosure of the cyberattack, the healthcare services provider advised customers to place orders through their Henry Schein representative or dedicated telesales phone numbers for security. The BlackCat ransomware group added Henry Schein to its dark web leak site, alleging they had breached the company's network and stole 35 TB of sensitive files. The group claimed they encrypted the company's devices another time after seeminglily unsuccessful negotiations. Henry Schein's entry on BlackCat's data leak site was later deleted, leading to speculation that the company may have restarted negotiations or paid ransom. The BlackCat ransomware operation, likely a rebrand of DarkSide/BlackMatter which was originally known for its infiltration of Colonial Pipeline, began in November 2021. The FBI linked the group to successful attacks on more than 60 organizations worldwide between November 2021 and March 2022.

U.S. mortgage lender Mr. Cooper experienced a cyberattack, causing it to shut down its IT systems including the online payment portal. The company, with approximately 9,000 employees and 4.1 million customers, is the largest servicer with loans worth $937 billion. Following the attack, customers were unable to access its website to make mortgage or loan payments. Mr. Cooper assured that customers trying to make payments will not incur any fees or negative impacts due to the issue and it will not influence their credit reporting. The company has not yet confirmed if this was a ransomware attack but noted that they have launched an investigation into the incident. The company is also verifying if customer data was compromised and will provide notifications to impacted customers in such an event. Despite no confirmation on the type of attack, it is recommended the customers stay vigilant against potential phishing attacks and identity theft.

U.S. mortgage lending giant, Mr. Cooper, faced a cyberattack leading to a shutdown of its IT systems, including the online payment portal. The company, based in Dallas, Texas, is the nation's largest servicer with 4.1 million customers and servicing loans of around $937 billion. The cyberattack was confirmed by the company through a notice posted on its website, stating that an unauthorized third party had accessed its systems. The data breach was detected on October 31, 2023. Currently, customers cannot process mortgage payments due to the system outage. However, the company ensures that customers will not be charged any fees, penalties, or negative credit reporting due to late payments under these circumstances. The company is investigating whether customer data was compromised during the attack and will notify impacted customers if any data was exposed. The nature of the attack has not been disclosed officially, but based on the type of disruption, it shows signs of being a ransomware attack. Customers are advised to guard against potential phishing attacks and identity theft, given the sensitive financial information that Mr. Cooper holds.

Rising number of cybersecurity professionals are expressing job discontentment, due to various workplace issues, according to global survey of 14,865 infosec workers by ISC2. The research showed that 36.9% of respondents fall into the “low employee experience” bracket i.e., low work satisfaction, a rise of more than 5% indicating increasing dissatisfaction. The study points out that while 70% reported being somewhat or highly satisfied with their job, factors like departmental cutbacks, threat of layoffs, lack of managerial support significantly reduced overall happiness. Companies where cybersecurity positions had been eliminated reported an overall happiness score of 46 out of 100, with future layoffs resulting in a score of just 38.9. Increased workload due to cross-industry downsizing is another strain. Almost three-quarters of the respondents reported heavier workload in the past year with pain points involving high email and task load, staffing and skills issues, and resource inadequacy. Poor handling by management has been identified as the factor contributing most to low levels of employee satisfaction. Mismanagement along with insufficient resources, often results in low morale and lost trust between workforce and management. Even with a significant rise in the total number of security pros (up 8.7% to 5.4 million this year), the cybersecurity industry still faces a shortage, with the skills gap widening by 12.6%.

A severe vulnerability in Apache ActiveMQ is being exploited by ransomware criminals, despite patches being released shortly after the flaw's announcement on October 25. The vulnerability, known as CVE-2023-46604, enables remote code execution (RCE) on affected systems. Security firm Rapid7 has noted the exploitation of this flaw in two client environments, with attempts to deploy ransomware traced to the HelloKitty ransomware family. Although patches have been available, Internet security non-profit Shadowserver found that as of November 1, only 105 services have been patched out of over 3,000 vulnerable ones, leaving many services exposed to attacks. Most of the unpatched services are located in China, followed by the United States and Germany. The HelloKitty group, potentially responsible for these exploits, gained notoriety with a 2021 attack on CD Projekt Red, in which it reportedly sold the gaming company's data, including alleged source code for major games. It has not been definitively proven that the HelloKitty group is behind these attacks, and some evidence suggests a less experienced individual or group may be using the HelloKitty source code.

The HelloKitty ransomware operation is leveraging a recently disclosed Apache ActiveMQ remote code execution flaw to breach networks and encrypt devices. The exploit allows threat actors to perform arbitrary shell commands by targeting serialized class types in the OpenWire protocol. Despite a security update released on October 25, 2023, addressing this flaw, over 3,000 servers remain exposed to attacks as per the threat monitoring service ShadowServer. Cybersecurity firm Rapid7 has reported at least two separate incidents of threat actors using this exploit to deploy HelloKitty ransomware and extort targeted organizations. The ransomware attack reportedly started two days after Apache released its security patch, indicating a case of n-day exploitation. Rapid7 urges administrators to promptly apply available security updates to protect their servers from ransomware attacks. Vulnerable versions are 5.15 to 5.18, and fixed versions include 5.15.16, 5.16.7, 5.17.6, and 5.18.3.