Daily Brief

Two American nationals, Daniel Abayev and Peter Leyman, and two Russian nationals, Aleksandr Derebenetc and Kirill Shipulin, have been charged with hacking the taxi dispatch system at John F. Kennedy International Airport in New York in order to sell front-of-line positions to taxi drivers. The alleged hacking occurred between September 2019 and September 2021, and the American duo pleaded guilty in early October. The scheme exploited the demand of taxi drivers for profitable airport fares and aimed to alleviate drivers' financial incentive to avoid waiting in lines. The alleged hackers made efforts to gain access to the dispatch system, such as, bribing personnel to insert a malware-containing flash drive into system-connected computers, unauthorized access via Wi-Fi connections, and stealing system-connected computer tablets. The group purportedly offered queue-jumps for $10 and waived fees for drivers who provided referrals, allegedly enabling as many as 1,000 queue-skipping trips per day. The dispatch system was accessed multiple times, resulting in substantial earnings for the group; the accused Russians earned over $100,000 from the scheme, sent to them under the guise of "payment for software development" or "payment for services rendered." The American defendants face up to five years in prison and the Russian defendants could face a maximum sentence of ten years if apprehended.

The British Library experienced a significant IT outage impacting its website and various services following a cyber incident on October 28. The outage affected other services, including phone lines and on-site library services in London and Yorkshire. However, facilities such as Reading Rooms remained operational. While physical items requested before the attack are available on site, there is limited manual ordering of collections in London, no access to digital collections or digital catalog, and exhibition tickets can be only bought onsite using cash. No details have been provided about the type of attack, how malicious actors breached the library’s systems, or whether personal or financial information was compromised during the attack. The National Cyber Security Centre (NCSC) and other cybersecurity specialists are working with the library to investigate the incident. As one of the world’s most extensive collection libraries, the British Library hosts over 150 million items and receives over 11 million online visitors annually. Over 16,000 people use its collections daily, both on-site and online.

Australian software company, Atlassian, warns of a critical security flaw in Confluence Data Center and Confluence Server software that could lead to data loss if successfully exploited. The vulnerability, described as an improper authorization issue and tracked as CVE-2023-22518, severely risks publicly accessible Confluence instances. The flaw can be used by threat actors to destroy data on affected servers, but does not affect confidentiality as it cannot be utilized to extract instance data. Cloud services accessed via an atlassian.net domain are safe from this vulnerability. Atlassian patched the critical CVE-2023-22518 vulnerability in Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1, urging admins to back up unpatched instances and block Internet access until upgrades are implemented. CISA, the FBI, and MS-ISAC previously warned to patch Atlassian Confluence servers against an actively exploited privilege escalation flaw tracked as CVE-2023-22515. The Chinese-backed Storm-0062 (aka DarkShadow or Oro0lxy) threat group had reportedly exploited this flaw as a zero-day since at least September 14, 2023.

Ace Hardware, a US-based hardware cooperative, suffered a severe cyberattack on Sunday, impacting majority of its IT systems and hindering many key operations. The attack led to disruptions in the company's warehouse management systems, retailer mobile assistant system, invoicing system, and customer reward and care center's phone system. While the type of attack is yet to be specified, digital forensic experts have been called in to aid in the restoration process. Although the company's online orders and deliveries were suspended, the organization claimed that in-store payments and credit card processing were unaffected. Warehouse employees and other staff are reportedly concerned about pay delays following the cyber attack. The company has recently reported a decrease in revenues, with a 5.8% step-down compared to the same quarter in the previous year.

Representatives from 40 countries will commit to discontinuing ransom payments to cybercriminal gangs at the third annual International Counter-Ransomware Initiative summit. The move comes in response to rising global ransomware threats, with the United States bearing the brunt of these attacks, accounting for roughly 46% of incidents worldwide. The summit will explore strategies to cut off funding for ransomware operations, aiming to undermine a critical driver of the industry: the profitable nature of such attacks. Despite 48 countries, the European Union, and Interpol participating in the summit, it remains unclear whether all attendees will agree to the pledge. Ransomware incidents saw a peak in September, with North America being the most targeted region. Over the last two years, numerous governments have suffered severe disruptions due to ransomware attacks. The summit follows the inaugural event organized by the White House National Security Council in October 2021, during which 31 countries pledged to propagate efforts to disrupt ransomware groups' abuse of cryptocurrency.

Samsung has introduced a new security feature called 'Auto Blocker' with the One UI 6 update which provides increased malware protection on Galaxy devices. The opt-in feature prevents the sideloading of apps from sources outside the Galaxy Store and Google Play in an attempt to shield users from social engineering attacks. For users who need to install apps from unofficial channels, Auto Blocker can be deactivated and the feature also includes app security checks powered by McAfee. Auto Blocker blocks unauthorized commands and software installations via the USB port, which can secure users when they charge their devices at public stations. Alongside the launch of One UI 6, Samsung has also improved Message Guard to offer support for popular third-party messaging apps including Messenger, Telegram, KakaoTalk, and WhatsApp. Initially, only the Galaxy S23, S23+, and S23 Ultra have received the update which includes Auto Blocker and the updated Message Guard, but more devices are expected to receive it soon. Users of compatible devices can activate the protection feature through the settings menu and are advised to also use a third-party mobile security solution for greater security.

The U.S. Federal Trade Commission (FTC) has approved amendments to its Safeguards Rule, which mandate non-banking financial organisations to report data breaches within a 30-day timeframe. The rule will apply to the likes of insurance firms, mortgage brokers, payday lenders, and car dealerships. Targets of the amendment entities responsible for the safekeeping of customers' financial information are required to inform the FTC in case of a data breach involving 500 or more consumers, as quickly as possible but no later than 30 days after the incident's discovery. The FTC rule amendment reflects similar legislative measures adopted by state governments across the U.S. for instance, in California, businesses are required to disclose breaches that affect 500 or more state residents. The mandatory disclosure is estimated to affect an additional 155 firms and the new rule will come into effect 180 days after it is published in the Federal Register, probably by 2024. The FTC initiative aligns with recent moves by the Securities and Exchange Commission (SEC), which introduced its mandatory breach reporting rules in July with an even tighter four-day window. The Department of Homeland Security (DHS) is also examining ways to streamline the reporting of security incidents at the federal level, including proposing a single reporting portal.

Security researchers from Infoblox uncovered a massive cybercrime link shortening service operated by an actor they've named Prolific Puma. Operating undetected for at least four years, Prolific Puma has registered thousands of domains largely on the U.S. top-level domain (usTLD) to facilitate delivery of phishing, scams, and malware. Prolific Puma's method often involves multiple redirects through shortened links to the landing pages. Some links also lead users to a CAPTCHA challenge, possibly to shield against automated scans. The actor is suspected to serve multiple clients as the nature of the short links varied. Delivery methods include text messages, social media, and advertisements. The-operator registered up to 75,000 unique domain names since April 2022, spread across 13 TLDs but primarily using usTLD. To circumnavigate detection and scrutiny, Prolific Puma "ages" its domains by leaving them inactive for a few weeks before moving them to a bulletproof hosting provider. Infoblox believes that Prolific Puma only provides the link shortening service while the control of landing pages is likely with different actors. However, they do not rule out the possibility of Prolific Puma controlling the entire operation.

Canada's Treasury Board President, Anita Anand, has announced a ban on the use of Tencent's WeChat app and Kaspersky security products on state-issued mobile devices over privacy and security risks. The Canadian government expressed fears that these companies could secretly relay sensitive information to Russian and Chinese intelligence agencies. Although no verified incidents of compromising government data have been reported, the potential risks linked with the data collection methods of these apps, particularly on mobile devices, are considered unacceptable. The ban will be implemented from October 30, 2023, by which time, all designated software must have been removed. Download options for these apps will also be blocked post this deadline. While the government supports individual freedom in choosing apps, they advise referring to the Canadian Cyber Centre's recommendations. Kaspersky argues this decision wasn't based on a technical evaluation of their products but is politically motivated, rejecting all claims as groundless. It suggests the action is part of Canada's response to the existing geopolitical climate. Other countries, including the U.S., Germany, Italy, and the U.K., have previously expressed concerns about and imposed restrictions on Kaspersky products over issues related to potential Russian espionage risks.

Threat actors have targeted the NuGet software distribution system in a new typosquatting campaign, using its MSBuild integration to execute code and install malware. The campaign was detected by ReversingLabs on October 15, 2023, and uses packages leveraging MSBuild integration instead of the common approach of incorporating downloaders in the install scripts. MSBuild integration's ability to automatically run scripts when a package is installed has generated security concerns, with the malicious code spotted by ReversingLabs hidden in a “build” directory. This abuse of MSBuild integration was initially introduced by a security researcher in 2019 to show how it can be used to run code when NuGet packages are installed, but this is the first recorded use by threat actors. The malicious packages are part of a campaign that began in August 2023 but did not abuse MSBuild integrations until mid-October 2023. The attackers have been refining their techniques, initially using PowerShell scripts to fetch the malware from a GitHub repository, and after the packages were removed, immediately tried to upload new ones, indicating an intent to continue the campaign.

The British Library had to grapple with an unresponsive website, WiFi, phone lines, and other services after a "cyber incident" led to a significant IT outage. The outage started on the morning of October 28, and its effects continue to be felt, impacting both the St Pancras site in London and locations in Yorkshire. This security issue has been so severe that internal experts as well as the National Cyber Security Centre (NCSC) are involved in the process of investigation and response. Despite the major technology blackout, the British Library has kept its sites open, reminding visitors and patrons of available services through social media, while warning about limitations due to the issue. Payments in cash are being accepted as one of the workarounds, while ordering and collection of items remain limited. The library is yet to confirm details about the nature of the security incident and has not issued any statement on the reports of problems with its VMware ESXi servers, which have been blamed for exacerbating the situation.

The cyber espionage group known as Arid Viper is behind an Android spyware campaign targeting Arabic-speaking users using a fake dating app. Arid Viper, also known as APT-C-23, Desert Falcon, or TAG-63, is reportedly aligned with Hamas, an Islamist militant movement governing the Gaza Strip. No evidence connects this campaign to the ongoing Israel-Hamas conflict. The deceptive app, which closely mimics a non-malicious online dating application named Skipped, is part of the group's strategy of using attractive lures, like social life, to trick their targets. Cisco Talos, who analyzed the campaign, cites an extensive network of similar dating-themed applications available in official app stores, suggesting Arid Viper might leverage these apps for future malicious campaigns. The spyware, once installed, can record audio and video, read contacts, access call logs, intercept messages, manage Wi-Fi settings, close background apps, capture photos, and create system alerts. This threat actor is also capable of downloading additional malware camouflaged as popular apps like Facebook Messenger, Instagram, and WhatsApp. Recorded Future found indications that may link Arid Viper to Hamas through shared infrastructure related to an Android application named Al Qassam disseminated in a Telegram Channel affiliated with Izz ad-Din al-Qassam Brigades, the military wing of Hamas.

Chris Philp MP, the UK’s Minister of State for Crime, Policing and Fire, has advocated for increased use of algorithmic-assisted facial recognition by police forces. The call is in tandem with the government's commitment to spend £17.5m ($21.3m) on a 'resilient and highly accurate system' to scan all police-accessible image databases. The two types of facial recognition being used are live (LFR) and retrospective (RFR). RFR involves using images from crime scenes to find a match on police databases, while LFR checks real-time footage against a pre-defined target list of known criminals or suspects. Philp claims that the use of such technology could help identify suspects in otherwise intractably difficult or lengthy cases, citing examples such as murder, sex offences, domestic burglary, assault, car theft, and shoplifting. The Metropolitan Police has already successfully used LFR, with a recent event at an Arsenal v Tottenham game resulting in the arrest of three perpetrators of different crimes. However, principal research scientist at the National Physical Laboratory, Dr Tony Mansfield, expressed concerns about a potential bias in the system against black individuals during low threshold operations. In the past, agencies such as Big Brother Watch, Liberty, and Privacy International have strongly criticised the use of facial recognition technology by police, with specific reference to its planned use at the 2017 Notting Hill Carnival.

Cybersecurity researchers discovered malicious packages published on the NuGet package manager that were linked to an ongoing coordinated campaign distributing the SeroXen RAT malware since August 1, 2023. The attackers behind the campaign were found to be consistently publishing new malicious packages in the NuGet repository. The malicious components, which imitated popular packages and spanned several versions, exploited NuGet's MSBuild integrations feature, using inline tasks to execute the malicious code. This instance is regarded as the first-known example of malware using NuGet's inline tasks feature for code execution. Packages were designed to conceal malicious code through the use of spaces and tabs, making it less noticeable on default screen views. They also artificially inflated download counts to seem legitimate. The ultimate aim was to use these packages as conduits for retrieving a secondary .NET payload hosted on throwaway GitHub repositories.

PentestPad offers a platform that boosts collaboration and accelerates the process for penetration test or pentest teams. It allows automated report generation, real-time collaboration, and integration with leading pen testing tools, delivering improved productivity and exceeding client expectations. The tool offers customizable project management features, making it easy to control the scope and track progress of projects. It uses a traffic monitoring tool that helps monitor performance, showing how many projects a person is working on, their findings and the average criticality per finding. PentestPad logs activity and is capable of detecting behaviors such as brute force attacks, offering insights on what resulted in a successful vulnerability exploit. It includes an automated reporting feature, eliminating common pain points such as formatting and back-and-forth communication over vulnerability descriptions. The platform also supports vulnerability retesting, using AI to detect if a previously identified vulnerability is still present. PentestPad is fully customizable, allowing for white-labelling of reports and the choice between a cloud or on-premise implementation. It also integrates with Slack, Jira and Active Directory (LDAP).