Daily Brief

The iLeakage attack, a new speculative side-channel attack created by academic researchers, extracts sensitive data from Apple's Safari web browser and works on all recent Apple devices. This attack marks the first demonstration of a speculative execution attack on Apple Silicon CPUs and the Safari browser, displaying a "near perfect accuracy" in retrieving data from Safari and also impacting Firefox, Tor, and Edge on iOS. Using a timerless Spectre attack, iLeakage bypasses standard browser side-channel protections and manages to bypass existing countermeasures by utilizing a timerless, architecture-agnostic method based on race conditions. Researchers from Georgia Tech, University of Michigan, and Ruhr University Bochum developed the iLeakage attack, focusing on reading sensitive information from Safari and defeating the browser's side-channel protections. The iLeakage attack also bypassed Safari's site isolation policy, using the JavaScript window.open API to share the same address space as arbitrary victim pages and leaking sensitive data from the target page using speculative type confusion. Proof-of-concept code for the attack is in JavaScript and WebAssembly, and requires the victim to interact with the attacker's page for the attack to work. The researchers showcased successful retrieval of sensitive data in several experiments. All Apple devices released from 2020, powered by Apple's A-series and M-series ARM processors, are affected by the iLeakage attack, which leaves virtually no trace on the victim's system. Despite its potential impact, the attack is complex and requires advanced knowledge for execution. Apple has been notified and has developed mitigations.

Researcher Aaron Costello revealed the existence of a flaw in ServiceNow's platform which exposed user data, resulting from default configurations of the platform's widgets. These widgets, acting as powerful APIs, were set to public records by default, potentially allowing an unauthenticated attacker to return and obtain the data they specify. ServiceNow quietly issued a fix for the flaw on October 20, although they reportedly were aware of the misconfiguration issue beforehand. Costello noted that many of ServiceNow's Access Control Lists (ACLs), which govern the access for resources, were left "empty" and therefore open to access by potential attackers. Using the widget 'Simple List', an attacker could craft a script to retrieve personally identifiable information (PII) among other data by calling over known table and field names. Costello stated that no attempts to exploit this misconfiguration had been detected by him yet but stressed that the flaw has been present since 2015, making it difficult to check for historical exploits. ServiceNow released a non-public article stating an update has been applied to all blank ACLs to add a script ensuring access was only granted if a user was logged in, and also provided several recommendations to improve security.

Iranian threat actor Tortoiseshell, also known as Crimson Sandstorm, Imperial Kitten, TA456, and Yellow Liderc, has deployed a new wave of watering hole attacks involving IMAPLoader malware. The malware is designed to fingerprint victim systems using native Windows utilities and acts as a downloader for additional payloads; it utilises email as a command-and-control channel. The attacks, active since at least 2018, have recently been targeted at the maritime, shipping and logistics sectors in the Mediterranean, gathering visitor details from compromised websites and deploying IMAPLoader as a follow-on payload for high-value targets. The attack method differs from Tortoiseshell's previously-used Python-based IMAP implant, with similarities suggesting IMAPLoader is a replacement. Tortoiseshell has also created phishing sites targeting the travel and hospitality sectors in Europe for credential harvesting using fake Microsoft sign-in pages. PwC warns Tortoiseshell remains an active threat to many industries and countries, including IT managed service providers in the Middle East, nuclear, aerospace, and defense industries in the U.S. and Europe.

A serious and easily exploited unauthenticated remote code execution vulnerability has been discovered in Mirth Connect, an open-source data integration platform developed by NextGen HealthCare. The vulnerability, known as CVE-2023-43208, has been addressed in the latest 4.4.1 version of the software, released on October 6, 2023. Mirth Connect, dubbed the "Swiss Army knife of healthcare integration", is widely used in the healthcare industry for data communication and exchange between different systems. Some older versions of Mirth Connect, dating as far back as 2015/2016, have been found to be vulnerable to this issue. The vulnerability, CVE-2023-43208, is a patch bypass for another critical remote command execution (RCE) vulnerability, CVE-2023-37679, which allows attackers to execute arbitrary commands on the server hosting Mirth Connect. Despite initial claims that only servers running Java 8 were affected, further investigation by Horizon3.ai found that all instances of Mirth Connect were susceptible to the problem, regardless of the Java version. Updating to Mirth Connect version 4.4.1, particularly for instances publicly accessible over the internet, is highly recommended as soon as possible, due to the high risk and well-known exploitation methods of this vulnerability.

A cyber-espionage group originating from Kazakhstan named YoroTrooper has been found to be responsible for a series of attacks on government and state-owned entities across the Commonwealth of Independent States (CIS) since June 2022. YoroTrooper was first identified by Cisco Talos in March 2023 and is also known as SturgeonPhisher by Slovak cybersecurity firm ESET. The threat group primarily uses spear-phishing methods to distribute an array of commodity and open-source stealer malware. It also guides victims to attacker-controlled sites for credential harvesting related to data theft activities. YoroTrooper has started updating its arsenal, shifting from regular malware to custom tools coded in Python, PowerShell, Golang, and Rust. The group extensively scans the state-owned email service of Kazakhstan for potential vulnerabilities, indicating its strong connections with the country. Starting from June 2023, the group began using custom implants and vulnerability scanners to infiltrate victim networks with targets including Tajikistan's Chamber of Commerce, Kyrgyzstan's KyrgyzKomur, and the Ministry of Energy of the Republic of Uzbekistan. The group has developed malware using Golang and Rust to establish reverse shell and harvest sensitive data in the latest update in September 2023.

The Samsung Galaxy S23 smartphone was hacked twice more on the second day of Pwn2Own 2023, a hacking competition held in Toronto. Researchers from Interrupt Labs and ToChim both demonstrated zero-day exploits on the device, earning $25,000 and 5 Master of Pwn points each. The Pwn2Own competition saw contestants demonstrate zero-day bugs in various devices from companies such as Canon, Synology, Sonos, TP-Link, QNAP, Wyze, Lexmark, and HP. Despite running the latest version of the Android operating system with all security updates installed, the device was successfully exploited due to an improper input validation attack and a permissive list of allowed inputs. On the second day of the competition, the organisers awarded $352,500 for over a dozen zero-days and multiple bug collisions, bringing the total to $791,250 awarded for 39 unique zero-days. The hacking competition, hosted by Trend Micro's Zero Day Initiative (ZDI), sees contestants targeting a range of devices with the potential to win over $1,000,000 in cash prizes. Upcoming competition days will see Samsung Galaxy S23 targeted once more by Team Orca of Sea Security.

The Rorschach ransomware gang targeted Grupo GTD, a major telecommunications company in Latin America operating in Chile, Spain, Columbia, and Peru. The attack has impacted its Infrastructure as a Service (IaaS) platform, disrupting various services including data centers, internet access, and VoIP. GTD had to disconnect its IaaS platform from the internet to prevent the spread of the attack which further caused service outages. The Computer Security Incident Response Team (CSIRT) of Chile has confirmed the incident and has asked all public institutions using GTD's services to report if they were impacted. The recent attack utilized the Rorschach ransomware variant, which was previously seen in an attack on a US company earlier this year. The Rorschach ransomware is considered sophisticated and fast, with the capability to encrypt a device within 4 minutes and 30 seconds. The ransomware used DLL sideloading vulnerabilities in legitimate Trend Micro, BitDefender, and Cortex XDR executables to load a malicious DLL. CSIRT has recommended organizations connected to GTD's IaaS to take steps to confirm they have not been breached in this cyberattack.

Microsoft is trialing support for the Detection of Network-designated Resolvers (DNR) standard, facilitating client-side automated discovery of encrypted Domain Name System (DNS) servers on local networks. Without DNR support, users must manually input the details of encrypted DNS servers into their local network settings. DNR-enabled devices can automatically configure DNS resolvers and use encrypted DNS protocols such as DNS over Transport Layer Security, DNS over Hypertext Transfer Protocol Secure, and DNS over Quick UDP Internet Connections. A DNR-enabled device, when joining a new network, queries the local Dynamic Host Configuration Protocol server for an Internet Protocol address and DNR-specific options. The server-side DNR then offers encrypted DNS details, enabling the client to establish an encrypted DNS tunnel automatically. DNR support is getting rolled out to Windows Insiders using Windows Insider build 25982 or above, but is not available on non-Insider Windows versions. Also, starting with the Windows 11 Insider build, Microsoft now allows admins to mandate SMB client encryption for all outgoing connections, defending against eavesdropping and interception attacks. Additionally, they've added Block Cloning Support for the Resilient File System to the Windows copy engine improving performance when copying larger files.

Five Ontario hospitals experienced a cyberattack that disrupted IT systems and affected patient care, leading to the delay or cancellation of appointments. The service provider, TransForm, is investigating whether any patient data was accessed during the incident. TransForm, a nonprofit founded by the targeted hospitals to manage their IT, supply chain, and accounts payable services, handles one million patient-related messages daily and manages 10,000 devices. Canadian government officials, including the Prime Minister, were targeted by a disinformation campaign called Spamouflage. The campaign involved spamming officials’ Facebook and other social media accounts with fake news stories and propaganda, some of which were created using deepfake technology. Spamouflage or Dragonbridge, linked to the People’s Republic of China, has affected thousands of Facebook and Instagram accounts and more than 50 other platforms. Its activities have previously attracted attention, including ahead of the 2022 U.S. midterm elections and by trolling rare-earth mining companies. The Canadian government said the Spamouflage campaign against its politicians began in early August and intensified over September’s Labour Day long weekend, with “thousands of comments” in English and French being left on politicians’ social media pages. After being alerted by government officials, the targeted social media platforms removed much of the spam content. However, new spam accounts could be created, making this a continuing global issue.

The customized firmware, Flipper Zero 'Xtreme', has added a feature that allows Bluetooth spam attacks on Android and Windows devices, previously seen only on Apple iOS devices. This type of spamming involves spoofing advertising packets and transmitting them to devices in range, causing confusion and potential disruption to user experience with repeated notifications. The 'spam attack' feature has been included in the latest development build, allowing users eight options for flood attacks. However, these attacks are more annoying than dangerous as they cannot perform code execution or cause direct harm to recipient devices. Despite not posing a serious threat, the creative nature of these spam messages can play a role in social engineering or other scam scenarios. Easy steps can be taken to block these notifications on Android and Windows systems, alleviating potential frustrations. As these spam attacks could potentially be used for phishing attempts, it remains essential to understand how to manage and stop notifications.

Windows 11, from Insider Preview Build 25982, will allow administrators to mandate Server Message Block (SMB) encryption for all outbound connections. The new feature enhances security by preventing users from establishing connections if the destination server does not support SMB 3.x encryption and SMB 3.x, thus protecting against interception and eavesdropping attacks. The encryption setting can be configured through PowerShell or the 'Require encryption' group policy, and the feature has been expanded to not rely solely on server, share, or mapped drive requirements. Additions in the Windows 11 Insider Preview Build 25951 allow admins to configure systems to automatically block sending NTLM data over remote outbound SMB connections, safeguarding against password-cracking, NTLM relay, and pass-the-hash attacks. These updates to SMB encryption are part of Microsoft's broader efforts to bolster cybersecurity, including disabling of the SMB1 file-sharing protocol and the introduction of an SMB authentication rate limiter.

The pro-Russia cyber-spy group, Winter Vivern, is exploiting an XSS zero-day vulnerability in the open-source webmail client, Roundcube in targeted attacks against European government entities. The specific government entities targeted have not been named by ESET researchers, but based on Winter Vivern's nexus with Russia and Belarus, adversaries of these countries are likely targets. The zero-day, CVE-2023-5631, was reported by ESET to the Roundcube team on October 12, leading to the development of a patch two days later. Victims were targeted with a convincing phishing email, designed to appear as coming from the Microsoft Outlook team. Opening the email launched a malicious payload which used JavaScript to enumerate folders and emails within the victim's Roundcube account. While Winter Vivern's tools are low in sophistication, they pose a substantial threat due to persistent phishing campaigns and the fact that many internet-facing applications are not regularly updated, leaving them with known vulnerabilities. Winter Vivern has historically exploited vulnerabilities in Roundcube and Zimbra for espionage campaigns, but this recent zero-day exploit indicates increased advancement in their operations. Winter Vivern is known to primarily target locations in Europe and Central Asia, but has previously been linked to attacks against U.S. government officials and European lawmakers.

Japanese watchmaker Seiko experienced a Black Cat ransomware attack resulting in a data breach divulging sensitive customer, partner, and employee information. Investigations revealed a total of 60,000 'items of personal data' from Seiko's Group (SGC), Watch (SWC), and Instruments (SII) departments were breached. Unauthorized access to at least one of Seiko's servers occurred on 28 July 2023; the company warned of the intrusion on 10 August 2023. On 21 August 2023, the BlackCat/ALPHV ransomware gang claimed responsibility, boasting theft of production plans, staff passport scans, new model release schedules, lab test results, and sensitive technical schematics. Information suggests that BlackCat purchased access to Seiko's network from an Initial Access Broker (IAB) a day before the intrusion was identified. All personal and technical data leaked by the attackers has been identified; however, the cybercriminals did not gain access to credit card details of customers. Seiko is working with cybersecurity specialists to strengthen its network security and promises to notify affected customers and partners individually.

A Proof-of-Concept (PoC) exploit has been released for the 'Citrix Bleed' vulnerability that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. The exploitation of CVE-2023-4966, a critical-severity remotely exploitable disclosure flaw, has started to accelerate following Citrix’s warning to administrators. Researchers at Assetnote discovered the specifics of exploiting CVE-2023-4966 and released a PoC exploit on GitHub to illustrate the workings of the vulnerability and assist testing efforts.  Assetnote found the vulnerability could lead to buffer over-read by examining the differences in unpatched and patched versions of NetScaler. They found that the return value of the JSON payload generation function could be exploited, and the response size in the pre-patch version was sent without checks. During their testing, researchers found an exploitable default setting that allowed access to the hostname value for payload generation. Exploiting the vulnerability allowed for the session cookie to be retrieved, giving the attacker full access to vulnerable appliances. Since the CVE-2023-4966 exploit has been made publicly accessible, further cyber-attacks are expected to focus on targeting Citrix Netscaler devices to infiltrate corporate networks. Immediate patching to resolve the flaw is advised due to its use in ransomware and data theft attacks.

Cyberattacks are steadily evolving, with ransomware attacks becoming a major concern due to their capacity to both harm systems and extort money from victims. A recent report by Malwarebytes revealed a significant rise in global ransomware attacks in 2023, with 1,900 recorded against the US, Germany, France, and the UK combined. Cyber Security Ventures estimates that a ransomware attack will occur every two seconds by 2031, resulting in annual losses of approximately $265 billion worldwide. Although originally most targeted at larger organizations, ransomware attackers are broadening their scope to include small and medium enterprises as well as individuals. The Ransomware as a Service (RaaS) business model has facilitated the spread of these attacks, providing the necessary infrastructure and payment systems for less technically skilled criminals to engage in ransomware attacks. Poor password practices remain a common vector for ransomware attacks, underscored by the widespread use of the LockBit ransomware, highlighting the need for stronger password policies to mitigate such threats. To defend against ransomware, organizations are encouraged to adopt robust cybersecurity solutions, including those that block compromised passwords, often a point of vulnerability.