Daily Brief

Over 3,000 internet-exposed Apache ActiveMQ servers are susceptible to a recently disclosed critical remote code execution (RCE) vulnerability (CVE-2023-46604) that scores a full 10.0 on the severity scale (CVSS v3). Apache ActiveMQ is an open-source message broker that facilitates secure communication between clients and servers using diverse secure authentication and authorization mechanisms, making it a popular choice in enterprise environments. Attackers can exploit this flaw to execute arbitrary shell commands by capitalizing on the serialized class types in the OpenWire protocol. Apache issued a fix for these vulnerabilities on October 27, 2023, however, approximately 3,329 servers running the vulnerable ActiveMQ version out of 7,249 discovered remain unpatched. Exploitation of this vulnerability can result in message interception, workflow disruption, data theft, and possible lateral movement in the network. Mainly due to its significant implications and public availability, it is essential to prioritize the application of the recommended security updates.

The Mozi malware botnet was deactivated after an unknown party sent a payload that triggered a deactivation on 27th September 2023. The botnet, which targeted IoT devices for DDoS attacks, suddenly saw a drop in activity in August 2023, starting with operations in India being halted. This cessation of activity was followed by a similar halt in China, where the botnet originates. On 27th September 2023, a UDP message was sent to all Mozi bots instructing them to download an update via HTTP, which deactivated the network. Analysis of the code used in the deactivation indicates it was similar to the original Mozi code and included the correct private keys for signing the payload, suggesting involvement of either the original botnet creators or Chinese law enforcement in the takedown. Despite one of the most prolific botnets becoming inactive, there are still many other DDoS malware botnets actively seeking vulnerable IoTs, therefore users are urged to protect their devices with the most recent software updates, strong passwords, and by isolating them from critical networks.

Evidence of active exploitation of vulnerabilities in F5's BIG-IP suite has been confirmed. These weaknesses caught attention after an Apache JServ Protocol (AJP) smuggling vulnerability was detected in F5's BIG-IP configuration utility, and were subsequently part of a large advisory featuring several other CVEs affecting the product line. Exploitations are suspected to harness both the AJP smuggling flaw and an SQL injection vulnerability (CVE-2023-46748) together. F5 is believed to have suspected a significant exploit chain on the verge of happening based on a report provided by another researcher before the vulnerabilities were made public. Researchers routinely delay or withhold vital parts of vulnerability research from becoming public to prevent attackers from creating an exploit before patches can be applied. Detection of a single exposed CISA server sparked the taking down of the server, but many more in the telecoms sector are still reportedly susceptible.

A threat actor known as Prolific Puma operates an underground link shortening service utilized by other malicious actors to distribute phishing scams and malware, according to Infoblox. The actor has been creating domain names with a registered domain-generation algorithm (RDGA) and using these to provide its service, helping other cybercriminals evade detection. Prolific Puma has been estimated to have registered between 35,000-75,000 unique domain names since April 2022. The actor leverages an American domain registrar and web hosting company called NameSilo for registration and name servers, and ages domains for a few weeks before moving them to anonymous providers. The real identity and origins of Prolific Puma are currently unknown, however multiple threat actors are known to be using its service for leading victims to phishing and scam sites, CAPTCHA challenges, and other shortened links. Prolific Puma poses as a DNS threat actor, leveraging DNS infrastructure for malicious purposes. Also reported by Trend Micro, another tool named Kopeechka used by less experienced cybercriminals to automate the creation of hundreds of fake social media accounts in seconds. The operation allows for the creation of two types of email addresses for account registration: ones hosted in domains owned by the threat actor and those on popular email hosting services. Kopeechka also enables users to select from 16 different online SMS services, mainly from Russia to complete the registration process, adding to the layer anonymity for the threat actors.

Hackers are exploiting two recent vulnerabilities in F5 BIG-IP products to stealthily gain access and erase signs of intrusion. F5 BIG-IP is a suite of services used for load balancing, security, and managing the performance of networked applications. It is used widely by government organizations and large enterprises. The vulnerabilities, known as CVE-2023-46747 and CVE-2023-46748, have prompted F5 to urge admins to apply necessary security updates due to active exploitation. These vulnerabilities allow skilled attackers to erase traces of their activities, making it impossible to prove if a device has not been compromised. The Cybersecurity & Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog, recommending that federal agencies apply the updates by November 21, 2023. F5 has also released a mitigation script for the RCE flaw and is encouraging admins of exposed BIG-IP devices to move directly to the clean-up and restoration phase.

Cybercriminals have been increasingly using macro-enabled Excel add-in (XLL) files to launch malware attacks, with XLL files seen as the seventh most commonly abused file extension in Q3 2023, a significant rise from its 42nd position in Q2. The XLL files offer attackers more capabilities compared to Visual Basic for Applications (VBA) macros, which are blocked by default by Microsoft since 2022. Features like multithreading support enable more effective attacks. Microsoft's attempts to block XLL attachments from untrusted locations have not stopped attackers, who frequently use compromised email accounts to bypass security measures. Attackers are deploying malware directly in document files, exploiting multithreading to stealthily launch malware or RATs (Remote Access Trojans). Notable malware variants previously delivered by XLLs include Dridex, Agent Tesla, Raccoon Stealer, and Formbook. A recent RAT campaign, the Parallax RAT, demonstrated the evasion techniques used to bypass XLL blocks, deploying the payload via seemingly legitimate invoice templates. Besides Excel, there have been similar campaigns targeting PowerPoint add-in files, continuing the trend of exploiting seemingly benign Microsoft Office documents for cyber attacks.

LayerX has developed a secure enterprise browser extension to tackle the rising levels of sophisticated web-borne attacks which have often left organizations exposed. This enterprise browser extension allows for comprehensive visibility, continuous monitoring, and well-defined policy enforcement on every event taking place within a browsing session. Utilizing proprietary Deep Session Analysis technology, the extension can also prevent credential theft by phishing sites, identify malicious extensions, and mitigate several data loss risks associated with online browsers. The LayerX extension is designed for seamless installation over existing browser infrastructure and can be distributed via a group policy or any enterprise device management platform. The extension also offers a user-friendly dashboard, which immediately populates with pre-set policies, information on browsers, users, extensions, and web activity. LayerX enables users to proactively protect against a wide range of web-borne risks and comes with default policies. Users can modify specific conditions and actions of these policies or create new ones according to their needs. This browser extension consolidates protection measures for a wide range of web-borne risks and may play a significant role in organizations acknowledging the centrality of the browser in their operations.

LayerX has developed an enterprise browser security extension to combat increasing web-borne attacks that exploit vulnerabilities in browsers and result in theft of data. Traditional endpoint, network, and data protections fail to protect against advanced web-borne attacks, opening organizations to risks such as phishing attacks, malicious browser extensions, and data exposure. The LayerX extension offers comprehensive visibility, continuous monitoring, and granular policy enforcement within browsing sessions. This proprietary Deep Session Analysis technology mitigates browser data loss risks, prevent credential theft by phishing sites, and identifies malicious extensions. The LayerX dashboard provides pre-defined policies, insights into the browser ecosystem, user configurations, detected risk alerts, and data aggregations. The system's Discovery page provides a wealth of information about five types of entities and can also help proactively detect and resolve browser-related issues. The LayerX platform offers multiple browser security use cases such as blocking the installation of risky extensions, preventing data leakage, and hardening protection against account takeovers by serving as an additional authentication factor. The platform also provides a single pane for consolidating protection measures for all web-related risks. This solution is particularly beneficial for organizations that rely heavily on browser operations for their business.

The owner of the short-lived RansomedVC ransomware operation is reportedly selling the business citing personal reasons as well as the need to avoid federal monitoring. The owner announced the decision to sell, with a 20% discount, over Telegram. The sale supposedly includes the ransomware builder, access to affiliate groups and social media channels, and 37 databases worth an alleged total of $10 million. The sale has raised suspicions, with some in the information security industry speculating it may be an exit scam following alleged past swindles by the owner. RansomedVC's recent unusual public activity, including a smear campaign against Dragos founder and CEO, has added to suspicions about the cyber criminal group's legitimacy. Claims by RansomedVC of major cyber attacks on Sony and Japan’s largest telco NTT Docomo have also been contested, suggesting the group may have taken other criminals' stolen data and presented it as their own or used a different alias for initial leaks.

An Iranian threat actor group known for its affiliation with Iran's Ministry of Intelligence and Security (MOIS) is running a sophisticated cyber espionage campaign targeting financial, government, military, and telecommunications sectors in the Middle East. Identified as Scarred Manticore by Israeli cybersecurity firm Check Point, this cyber actor has attacked multiple countries including Saudi Arabia, UAE, Jordan, Kuwait, Oman, Iraq, and Israel. The group also exhibits resemblance with other Iranian groups such as OilRig and an intrusion codenamed ShroudedSnooper by Cisco Talos. Scarred Manticore is using a stealthy backdoor known as HTTPSnoop to target telecom providers in the region and a new malware framework identified as LIONTAIL that can execute commands remotely via HTTP requests. The group has also used multiple web shells and a web forwarder tool known as LIONHEAD. The threat actor's continuous evolution of their malware arsenal since their believed beginning in 2019 highlights their vast resources, varied skills, and the modus operandi common to advanced persistent threat (APT) groups. This group's campaign against Israel comes amid the ongoing Israel-Hamas war, indicating nation-state actors' heightened use of information warfare tactics.

State-sponsored threat actors from North Korea have been found to be targeting blockchain engineers of an unspecified cryptocurrency exchange platform with a novel macOS malware named KANDYKORN. The victims were lured into downloading and running a ZIP archive containing malicious code under the pretense of installing an arbitrage bot. The malware is an advanced system with several capabilities to monitor, interact with, and avoid detection, primarily leveraging a process termed reflective loading. The activity has similarities with the Lazarus Group, a notorious North Korean hacking collective, and has been traced back to April 2023. The attack begins with a Python script, goes through a five-stage process, and ends with the execution of KANDYKORN. This comes alongside the re-emergence of Kimsuky, another North Korean hacking outfit, with an updated variant of an Android spyware called FastViewer. The researchers have warned that this activity demonstrates North Korea's continued focus on the crypto-industry with the intention of stealing cryptocurrency to bypass international sanctions.

Cyber attacks on industrial control systems are increasingly common, which can result in operational delays, shutdowns, and financial losses for businesses. Increased systems connectivity often introduces cybersecurity blind spots, exposing sensitive data to unauthorized access and disruption. Maintaining security requires detailed visibility of Operational Technology assets as well as their protection across extended networks. Automated threat detection can play a crucial role in maintaining constant vigilance against cyber threats. A webinar hosted by the UK soft drinks producer Britvic on November 8 tackles strategies to overcome security challenges and discuss evolving threats to OT security while offering management advice on risks from IoT connectivity and automation. Registration for the webinar, sponsored by Claroty, is now open.

The Turla hacking group, believed to be connected to the Russian Federal Security Service (FSB), has been observed using a highly evolved version of the Kazuar backdoor. Security researchers from Palo Alto Networks Unit 42, who have named the group Pensive Ursa, are tracking the hackers' activities. The enhanced Kazuar displays advanced anti-analysis capabilities, enabling it to operate more stealthily, highlighting a continued evolution of Turla's attack methods towards increased sophistication and subterfuge. Kazuar first emerged in 2017 and is a .NET-based implant that can interact clandestinely with compromised systems and exfiltrate data. In January 2021, links between Kazuar and Sunburst, another backdoor used in the SolarWinds hack, were discovered. The backdoor’s functionality has been significantly expanded, from 26 commands in 2017 to 45 in the updated version. It now features comprehensive system profiling, data collection, credential theft, file manipulation capabilities, and autonomous task scheduling. Communication with command-and-control servers uses HTTP. The Turla group's new tactics include a multithreading model for Kazuar, enabling it to receive and execute commands independently. The backdoor can function as a proxy, establishing communication between different Kazuar instances, and incorporates anti-analysis functionalities. The development coincides with Kaspersky's report that several Russian state and industrial organizations have been targeted with a custom Go-based backdoor as part of spear-phishing campaign starting from June 2023. The threat actor behind this operation currently remains unidentified.

Several Indian politicians and media figures, all from opposition parties, have claimed Apple warned them that their accounts are potentially targeted by state-sponsored cyber attackers. MP Mahua Moitra, one of the targets, shared the warning email from Apple publicly and associated the possible attackers with Indian government, alleging that they are trying to compromise her iPhone. This is not the first instance where accusations have been made against the Indian government; in 2021, phone numbers of Indian journalists and politicians were reportedly found on a list targeted by the "Pegasus" spyware, created by NSO Group. India's tech minister Ashwini Vaishnaw questioned the validity of Apple's warnings, stating they are "vague and non-specific," and could be based on incomplete or imperfect information. Apple's descriptions of its state-sponsored threat alerts do admit that they could potentially be false alarms. Critics argue that the Indian government's alleged involvement aligns with an observed trend of intolerance towards dissenting voices and an "autocratic drift," including frequent internet shutdowns. However, it's possible that foreign states with tensions with India could be the source of the attacks. Apple deliberately does not disclose any information regarding the source of these potential cyber threats and has not commented on these specific notifications.

F5 has issued an alert regarding active exploitation of a critical security flaw in BIG-IP, tracked as CVE-2023-46747 with a CVSS score of 9.8. The vulnerability enables unauthenticated attackers with network access to the BIG-IP system to execute arbitrary system commands. The issue impacts all versions of the software and a proof-of-concept exploit has been released by ProjectDiscovery. F5 also reported threat actors exploiting CVE-2023-46748, an authenticated SQL injection vulnerability in BIG-IP configuration utility with a CVSS score of 8.8. Cyber attackers are using the two vulnerabilities in combination to execute arbitrary system commands. F5 advises users looking for indications of compromise to check designated log files for suspicious entries. The Shadowserver Foundation reported detecting attempts to exploit F5 BIG-IP CVE-2023-46747 since October 30, 2023, urging users to quickly apply the necessary fixes.