Daily Brief

F5 has warned customers about a critical security vulnerability affecting its BIG-IP system, exposing it to unauthenticated remote code execution. The problem, which is located in the configuration utility component, has been tagged with the CVE identifier CVE-2023-46747 and carries a CVSS score of 9.8 out of 10. The issue lets an unauthorized attacker execute arbitrary system commands through network access to the BIG-IP management port and/or self IP addresses; it does not involve data plane exposure. F5 has provided a shell script as a temporary workaround for users of BIG-IP versions 14.1.0 and onwards, warning against its use on previous versions as it will prevent the Configuration utility from starting. The vulnerability, discovered by Michael Weber and Thomas Hendrickson of cybersecurity company Praetorian, is an authentication bypass problem and is the third of its kind uncovered in TMUI.

Microsoft has released a comprehensive profile of a cyber threat actor named Octo Tempest, an advanced, English-speaking group primarily engaged in data extortion and ransomware attacks. The group started as a reckless actor involved in SIM swapping and stealing accounts of high-profile individuals, mostly those with cryptocurrency assets. However, since early 2022, Octo Tempes has evolved, expanded its targets to include organizations in multiple sectors such as gaming, hospitality, retail, manufacturing, technology, and financial services, and began partnering with ALPHV/BlackCat ransomware group. The group uses social engineering heavily in its attacks, often impersonating employees or administrators, resetting passwords, and requesting permission upgrades, to gain access to systems and data. After obtaining access, Octo Tempest starts the reconnaissance stage of the attack to collect information that would allow them to progress the intrusion, and subsequently explores the infrastructure, collecting access and resources across various environments and systems. Octo Tempest hides its presence on the compromised network by suppressing alerts and modifying the mailbox rules to delete emails that could signal a potential breach. Detection or hunting for this threat actor is challenging due to their use of social engineering, blending in with normal activities, and diverse tooling. Microsoft recommends monitoring and reviewing identity-related processes, Azure environments, and endpoints as a method to detect malicious activities by Octo Tempest.

Microsoft has published a detailed profile on advanced threat actor, Octo Tempest, which has been linked to data extortion and ransomware attacks. The actor made a significant impact on various sectors, including gaming, hospitality, retail, manufacturing, technology, finance and managed service providers. Initially involved in SIM swap fraud and account theft, Octo Tempest has developed advanced social engineering capabilities and has shifted its focus to phishing, password resetting, and data theft, partnering with the ALPHV/BlackCat ransomware group later on. The group has leveraged its experience over the years to build more sophisticated and aggressive attack methods, monetizing intrusions by extorting victims post data theft, even resorting to physical threats in some cases. Octo Tempest hackers frequently gain initial access by targeting technical administrator accounts using advanced social engineering techniques. They often impersonate individuals within a company using mimicked speech patterns in phone calls to trick staff into performing password resets and resetting multi-factor authentication methods. Investigators from Microsoft report that Octo Tempest continuously scans for additional credentials to enhance their reach, employing tools to automate their search for plaintext keys, secrets, and passwords across code repositories. They also manipulate security personnel accounts to disable security measures. The organization is financially driven, and it generates revenue through cryptocurrency theft, data theft extortion or through system encryption followed by ransom demands. Detecting this threat group is acknowledged as challenging due to the advanced and diverse nature of the strategies they employ.

Apple has launched critical security fixes, including a patch for a vulnerability impacting all iPhones and iPads manufactured before September 2021, which has reportedly been leveraged by cyber attackers. The vulnerability, known as CVE-2023-32434, could allow the execution of arbitrary code with kernel privileges on devices running iOS versions prior to 15.7. Kaspersky's research team unearthed the bug and communicated it to Apple. The team found the flaw during their investigation of an espionage campaign called Operation Triangulation. Along with CVE-2023-32434, Kaspersky researchers identified three more zero-day vulnerabilities, CVE-2023-32435, CVE-2023-38606, and CVE-2023-41990, exploited by unidentified cyber spies to compromise myriad Apple products. The malware, named TriangleDB, requires no user interaction to infect devices and gives hackers access to all data and system information once installed. Additionally, Kaspersky developed a tool named 'triangle_check', which scans iOS device backups for possible indicators of a TriangleDB compromise. Victims of the cyber-espionage campaign include security researchers from regions including Russia, Europe, the Middle East, Turkey, and Africa. The researchers are yet to link it conclusively to an existing cyber threat actor.

Insider threats have proven consistently more effective than outsider hackers, despite the focus on fortifying external security measures. Earlier this week, a rogue systems engineer who had resigned from the NSA tried to sell stolen documents to a Russian agent in exchange for cryptocurrency; he was quite easily detected. An ex-staffer from Dutch chip-making firm ASML allegedly transferred corporate secrets when he took a new job with Huawei. On Wednesday, a report indicated that US Immigration and Customs Enforcement had employed security investigators to sift through social media content for anti-American sentiments. This series of insider threat incidents emphasises the necessity for stronger internal security practices to prevent misuse of corporate credentials and protect sensitive information.

Several adware-filled apps have been downloaded over two million times from Google Play, the apps were disguised as games and concealed their presence on the infected devices. The malware was found to be associated with the 'FakeApp,' 'Joker,' and 'HiddenAds' families according to cybersecurity firm Doctor Web. Their analysts identified that the apps, once downloaded, replaced their icons with that of Google Play to remain hidden. These apps would abuse the browser to launch ads, generating revenue for the apps' creators. Other apps were found to direct users to investment scam sites. Two 'Joker'-related apps were also discovered, and would subscribe users to expensive, premium content services. All mentioned malicious apps have since been removed from Google Play, but users who had previously downloaded them have been advised to delete them and run full device scans. To avoid downloading malicious apps, users are recommended to limit app installs, read user reviews, and verify the publisher's credibility.

The Nigerian Police Force has arrested six suspects and dismantled a hub linked to cybercrime activities including business email compromise, investment scams and romance fraud. The operation took place on September 13, 2023 in the Dantata estate area, culminating in the seizure of digital devices believed to be used for criminal activities. The suspects admitted to their involvement in cybercrime activities including identity theft, hacking, trading in hacked Facebook accounts, computer-related fraud and forgery. The Nigerian Police Force encouraged the public and landlords to condemn cybercrime, expose any recruitment centres and report suspicious online activity to the police. The Federal Trade Commission issued a warning earlier this year about the rising incidence of romance scams costing American victims roughly $1.3 billion. The FBI also reported that BEC scams have led to losses of $43 billion from June 2016 to July 2019. Cryptocurrency 'pig butchering' investment schemes have also seen a spike, with a total of over $2 billion being stolen in 2022 alone. Law enforcement urges all online users to exercise caution and be wary of social engineering attacks asking for sensitive information or money.

University researchers have developed "iLeakage" an exploit that can steal information from nearly all modern Apple devices. The exploit targets WebKit, the engine that powers Apple's Safari browser, and can steal Gmail inbox data, text messages, passwords, and other miscellaneous information from Apple devices running A-series or M-series chips. Third-party browsers in Apple devices such as Chrome and Firefox are also now vulnerable to this attack since Apple requires all browsers on its App Store to be based on WebKit. The method of attack, similar to Meltdown and Spectre, uses a feature of most modern CPUs called speculative execution, where CPU mispredicts tasks and pre-executes instructions that depend on sensitive data. Despite the practical application of this attack being comparatively low due to its slow speed and the high degree of technical understanding required, it could potentially have a high success rate due to the accuracy of data exfiltrated (90-99% accuracy depending on devices). The exploit can be mitigated but the mitigation is only available for macOS users; it's not enabled by default and is also marked as unstable. The researchers have already disclosed their findings to Apple; however, the company has not publicly addressed the matter so far.

Academics have discovered an exploit called 'iLeakage' that attacks the weakness within 'A' and 'M' series CPUs on Apple devices running iOS, iPadOS, and macOS. The attack allows for the extraction of sensitive information from the Safari web browser. The exploit also works on third-party web browsers due to an Apple App Store policy that necessitates these browsers use Safari's WebKit engine. Through speculative execution, a malicious web page can accesses sensitive data from another page in the same browser. This method weaponizes a microarchitectural side-channel, leveraging other variables such as timing to infer sensitive information. The attack bypasses measures put in place by Apple to harden its systems. The reveal of ‘iLeakage’ follows a series of similar side-channel attacks such as Collide+Power, Downfall and Inception. Despite the revelation, the chance of the vulnerability being exploited in real-world scenarios remains unlikely due to the significant technical skills required.

The APT28 Russian hacking group, also known as 'Strontium' or 'Fancy Bear', has been infiltrating French government, business, and research networks since mid-2021, according to a report by French agency ANSSI (Agence Nationale de la sécurité des systèmes d'information). The group believed to be part of Russia's military intelligence service GRU has exploited vulnerabilities in WinRAR and Microsoft Outlook to carry out these attacks. Rather than using backdoors, the hackers are compromising devices on the periphery of networks to avoid detection. They use brute-forcing tactics and leaked databases with access credentials, and have run phishing campaigns to acquire system configurations. From March 2022 to June 2023, they exploited a then-zero-day vulnerability in Microsoft Outlook, an activity that was reportedly started a month earlier than initially reported. Other assorted vulnerabilities in Microsoft Windows and Roundcube were also exploited during this period. ANSSI has noted that the group uses a variety of VPN clients and exploits cloud storage services to avoid traffic monitoring detection, and uses implants to collect information from victims' browsers. The agency recommends a comprehensive approach to security, with a particular focus on email security.

The StripedFly malware framework infected over a million Windows and Linux systems over five years before its discovery and appropriate classification by cybersecurity firm Kaspersky. This advanced persistent threat (APT) malware was inaccurately classified as a Monero cryptocurrency miner due to its diversion tactics. It featured advanced TOR-based traffic concealment, automatic updates, and worm-like propagation, with evidence of its activity dating back to 2017. Infected systems were likely initially breached via a custom EternalBlue SMBv1 exploit targeting internet-connected devices, using trusted platforms like Bitbucket, GitHub, and GitLab to execute additional files. The multi-module malware has numerous functionalities including crypto mining, data theft, system exploitation, and ransomware capabilities, indicative of an APT operation. StripedFly adapts its persistence strategies based on the privilege level it operates on and the availability of PowerShell in Windows systems. On Linux, it masquerades as 'sd-pam' and secures persistence via systemd services or by modifying various profile and startup files. Cybersecurity experts estimate that between February 2022 and September 2023, over 280,000 systems were infected, pointing to the severity and scale of the uncompromised systems.

Microsoft has warned of an increasingly dangerous threat actor known as Scattered Spider, which has been impersonating new employees to blend into organizations' hiring procedures and execute account takeovers and data breaches worldwide. Known for adversary-in-the-middle (AiTM) techniques, social engineering, and SIM swapping, the group has been identified as a significant global financial criminal organization. Initial strategies involved targeting mobile telecom providers to initiate SIM swaps, followed by account takeovers of wealthy individuals for cryptocurrency theft. The group has since diversified its targets, becoming an affiliate for the BlackCat ransomware gang and incorporating extortion into its attack model. Scattered Spider has also used fear tactics, utilizing personal information and occasionally resorting to physical threats to coerce victims into providing corporate access credentials. The group's reconnaissance and privilege escalation techniques include stealing password policy procedures and downloading user, group, and role exports. They have also impaired security products to avoid detection and tampered with security staff mailbox rules. Besides compromising security personnel accounts, the actor group has demonstrated considerable technical expertise, using various tactics like enrolling actor-controlled devices into device management software to bypass controls and replaying harvested tokens with satisfied MFA claims to bypass MFA. Microsoft identified an unique technique used by the group, which involves compromising VMware ESXi infrastructure and running arbitrary commands against housed virtual machines via open-source Linux backdoor Bedevil.

Cloudflare reported that it mitigated thousands of hyper-volumetric HTTP DDoS attacks exploiting a newly discovered flaw, HTTP/2 Rapid Reset, 89 of which exceeded 100 million requests per second (RPS). The company mentioned that these attacks significantly contributed a 65% surge in HTTP DDoS attack traffic in Q3 compared to Q2. The total number of HTTP DDoS attack requests for the quarter rose to 8.9 trillion, up from 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023. The HTTP/2 Rapid Reset (CVE-2023-44487) flaw was recently discovered, and DDoS attacks utilizing this flaw have been orchestrated by an unknown actor against providers like Amazon Web Services, Cloudflare, and Google Cloud. According to Cloudflare, botnets exploiting HTTP/2 can generate up to x5,000 more force per botnet node, which enables them to conduct hyper-volumetric DDoS attacks with a small botnet ranging from 5-20 thousand nodes. Top industries targeted by HTTP DDoS attacks include gaming, IT, cryptocurrency, computer software, and telecom. The US, China, Brazil, Germany, and Indonesia were the biggest sources of application layer (L7) DDoS attacks. DNS-based DDoS attacks were the most common for the second quarter in a row, encompassing almost 47% of all attacks, a 44% increase compared to the previous quarter.

Cloudflare reports a spike in the number and scale of hyper-volumetric HTTP DDoS attacks in the third quarter of 2023, exceeding the entire previous years combined. The largest of these attacks peaked at 201 million requests per second (rps), tripling the previous record set in February 2023. It was mostly enabled by exploiting the 'HTTP/2 Rapid Reset' technique. Cloudflare records a 65% upsurge in the overall HTTP DDoS attack traffic over the last quarter with a 14% increase in L3/L4 DDoS attacks. Key targets this quarter include gaming and gambling industries, IT and internet services, cryptocurrency, software, and telecommunication sectors. Other notable trends include a 456% increase in multicast DNS (mDNS) attacks, a 387% uptick in Constrained Application Protocol (CoAP) exploits, and a 303% rise in Encapsulating Security Payload (ESP) DDoS attacks. Contrarily, ransom DDoS attacks are on a downward trend, declining for the second successive quarter. Defense strategies need to continuously adapt and evolve to tackle these emerging and changing DDoS attack techniques.

Reflectiz, a website security solution provider, recently released a case study highlighting a common, overlooked risk: a forgotten and misconfigured pixel on a website. The forgotten pixel, associated with a leading global healthcare provider, illegally collected private user data without consent, exposing the company to potential fines and reputational damage. The pixel, originally added during a four-year-old marketing campaign, had continued to collect sensitive patient health information unnoticed, even as the website went through updates and changes. The incident highlights the issue of "configuration drift," where IT system configurations unintentionally deviate from their intended state over time, leading to vulnerabilities, performance issues, and compliance problems. As such tracking pixels are commonplace on websites across industries, this case serves as a warning of the potential legal and ethical pitfalls that can occur with unauthorized data collection and non-compliance with data protection regulations. Reflectiz underscores the importance of vigilance and proactive monitoring, pointing out that their tools were instrumental in identifying and resolving this data leakage issue.