Daily Brief

The SANS Institute has rolled out a training and certification curriculum centered on cloud security as data and applications increasingly transition to hybrid cloud environments. The 'Bridge to the Clouds: Unifying Worlds with Entra ID in Hybrid Landscapes' webinar will be broadcast at 2pm UTC on 7 November, hosted by Simon Vernon, head of research and development at SANS. The webinar will provide insight into how Microsoft's Entra ID can improve identity and access management in hybrid cloud environments. Vernon's role includes overseeing all BootUP and Community Cyber Range creation and operations. The webinar is part of a range of free resources, including videos, surveys, and white papers, that SANS offers to cloud security practitioners. These resources touch on topics such as secure DevOps, API security, Role-Based Access Control for Kubernetes, and the Scaler Zero Trust platform. Members can also access open-source tools, infographics, newsletters with expert analyses of cyber security trends and risks.

Ransomware activity reached unprecedented levels in September 2023, with 514 attacks, surpassing the previous record in March 2023, according to data from NCC Group. The record was achieved by various threat groups, led by LockBit 3.0, LostTrust, and BlackCat. LostTrust, a new threat actor believed to be a rebrand of MetaEncryptor, encrypted the networks of many organizations, some of which also experienced data leaks. Newcomer RansomedVC, employing GDPR reporting threats, is in NCC's fourth place with 44 attacks. About 20% of attacks in September came from new ransomware operations, demonstrating their aggressiveness and scalability. Geographically, North America was the most targeted region, accounting for 50% of the attacks, followed by Europe with 30%, and Asia with 9%. The most targeted sectors were industrials (construction, engineering, commercial services), consumer cyclicals (retail, media, hotels), technology (software and IT services, networking, telecommunications), and healthcare. The total number of attacks recorded from January to September 2023 was nearly 3,500, and the final figure for the year is now predicted to be around 4,000.

Threat actors have upgraded a backdoor created by exploiting two zero-day flaws in Cisco devices, making it capable of evading previous fingerprinting detection methods. The backdoor responds only if the correct Authorization HTTP header has been set, indicating a level of sophistication on the part of the hackers. The exploit chain, which uses two vulnerabilities (CVE-2023-20198 and CVE-2023-20273), allows the threat actors to gain access to the devices, create a privileged account, and install a Lua-based implant. While Cisco has started security updates, an estimated thousands of devices remain at risk, with more than 37,000 known to have been compromised. A recent sudden drop in the number of compromised devices has been attributed to modifications that hide the backdoor's presence, rather than a reduction in attacks. The identity of the threat actor involved is not yet known, with observed infections suggesting a large-scale, indiscriminate hacking operation. Cisco has now detailed a detection method for the modified backdoor in its updated advisories.

1Password, a password management solution, detected suspicious activity on its Okta instance following a breach on Okta's support system. The activity was immediately terminated and investigated, confirming no user data or other sensitive systems were compromised. The breach occurred when an IT team member shared a HAR file with Okta Support, enabling the threat actor to use a session cookie to potentially gain unauthorized access. On detecting the malicious activity, 1Password has taken multiple steps to enhance security, including prohibiting logins from non-Okta IDPs, reducing administrative user session times, enforcing stricter multi-factor authentication rules for administrators, and minimizing the number of super administrators. The mode of attack described by 1Password shares similarities with known campaigns where threat actors compromise super admin accounts and attempt to manipulate authentication flows to impersonate users within the compromised organization. Okta, known to have been targeted by social engineering attacks, has not confirmed if the attacks have any connection to threat group Scattered Spider. This group is known for using social engineering attacks to obtain elevated privileges. The discovery of suspicious activity on 1Password's Okta instance comes after Okta announced unidentified threat actors leveraged a stolen credential to access its support case management system and steal sensitive HAR files, potentially impacting 1% of its customer base. Other affected customers include BeyondTrust and Cloudflare.

China-based cyber scam artists are fraudulently manipulating India's Unified Payments Interface (UPI), a real-time mobile payment system to conduct theft, as revealed by threat intelligence company CloudSEK. The scammers imitate loan app providers, enticing victims with promises of fast money with easy repayments for a fee that is between 5% and 10% of the loan amount. The victims are then requested to share personal and bank information, and the loan never materializes after the fee is paid. The fee is subsequently laundered through proxies from India to China. The scammers hire accomplices with legitimate existing bank accounts from smaller, less monitored banks and allow the scammers to control the bank account and launder the stolen money. The recruits receive a commission of 1% to 2% of the transaction for their involvement. Telegram is used to recruit accomplices through enticing advertisements or messages. In just two months, scammers managed to launder the equivalent of $44,000, with one of the 55 apps through a network of over 10,000 accomplices. CloudSEK suggested that UPI service providers should boost security measures to safeguard consumers from fraud, and that banks in cooperation with the National Payments Corporation of India (NPCI) should introduce additional security measures that involve verifying that any new mobile number added to an account corresponds with the account holder's name.

1Password, a major password management platform, reported a security breach resulting from hackers compromising its Okta ID management tenant. Despite detecting suspicious activity on their Okta instance, the company confirmed no user data had been accessed following a thorough investigation and swift termination of the unauthorized activity. The breach comes after Okta announced that its own support case management system had been penetrated by hackers using stolen credentials. The threat actors in Okta's case leveraged HTTP Archive (HAR) files that contained sensitive data to mimic a legitimate Okta customer. Threat actors breached 1Password's Okta tenant by using a stolen session cookie belonging to an IT employee, using similar tactics to those observed in Okta's prior incident. The threat actors used their access to manipulate the organization's authentication flows and set up a secondary identity provider to impersonate users within the organization. 1Password consequently tightened security protocols around its Okta configuration, including credential changes for the affected IT employee, restrictions on non-Okta IDP logins, shorter session times for administrative users, and stricter multi-factor authentication rules for administrative users. Okta and 1Password's accounts of the incident timeline differ, with Okta asserting that logs show the IT employee's HAR file wasn't accessed until after 1Password’s noted security incident.

Cisco began rolling out patches for a critical bug in its IOS XE software that had been exploited to install implants on thousands of Cisco routers and switches. However, the criminals who had been exploiting the vulnerability updated the malware to dodge detection. The flaw allowed attackers to hijack Cisco devices, which were first identified last week. Although Cisco made software release version 17.9.4a available to fix the flaw, monitoring showed thousands of devices remained affected. On Monday, Cisco updated its security advisory, offering enhanced guidance to identify infected systems after discovering a new variant of the attack that impedes the identification of comprised systems. The malware compromised about 36,541 Cisco devices. However, the count of infected devices dropped to 1,200 over the weekend. This sudden fall was due to the criminals changing the malware code, according to security firm Fox-IT. Fox-IT revealed that the implant placed on Cisco devices has been altered to check for an Authorization HTTP header value before responding, which likely led to the previous drop in detection. While the recent code change might allow the attackers to maintain access to the systems for a little longer, it is thought to be just a temporary fix and is unlikely to give them much advantage, according to VulnCheck CTO Jacob Baines.

The University of Michigan reported a data breach of its network in August, resulting in unauthorized access to sensitive data of students, applicants, alumni, donors, employees, patients, and research study participants. The unauthorized access lasted from August 23-27 and exposed personal, financial, and medical details, including names, medical records, and financial information. The University detected suspicious activity and isolated its entire campus network from the internet to curtail the breach's impact. Data related to research studies participants, patients of the University Health Service, and the School of Dentistry might have also been compromised. The University has informed all individuals who may have been affected by the breach and is offering them complimentary credit monitoring services. The University discovered the intrusion a week later and subsequently implemented a mandatory password reset for all associated accounts.

The DC Board of Elections (DCBOE) warns that RansomVC, a ransomware crew, may have stolen its full voter roll, which includes the personal information of all registered voters in the District of Columbia. The incident reportedly happened when the group accessed a server of DataNet Systems, the agency’s website hosting provider, which contained around 600,000 items of US voter data, including DC voter records. While no internal databases or servers of the DCBOE were compromised, it was reported that documents of significant importance were stored on DataNet’s servers. The stolen data includes personal identifiable information such as partial social security numbers, driver's license numbers, dates of birth, and contact information including phone numbers and email addresses. The DCBOE will now contact all registered voters and has hired response experts, Mandiant, to help investigate the incident. The organization is also working with the FBI, Homeland Security, and the Office of the Chief Technology Officer. Despite the ongoing investigation, voter registration remains active and in security for residents of the District of Columbia. RansomVC, the group claimed responsible, is a new gang that emerged recently in September and has also reportedly breached Sony and Japanese cell carrier NTT Docomo.

Amid the ongoing Israel-Hamas conflict, scammers are reportedly exploiting the situation to collect fake donations via cryptocurrency transactions. BleepingComputer uncovered instances on various social media platforms, where fraudsters posted cryptocurrency wallet addresses, falsely presenting themselves as legitimate charities soliciting donations. A pattern of such scams has been observed during past humanitarian crises such as the Russo-Ukrainian war and earthquakes in Turkey. For example, a fake "Gaza Relief Aid" account showing images of wounded victims was traced by BleepingComputer to the domain aidgaza.xyz, registered on October 15th. The same fraudulent approach was observed with accounts claiming to support Israel and Israeli victims. Cybersecurity firm Kaspersky detected over 500 scam emails of fake charities capitalizing on people's willingness to donate to those affected by the crisis. Both BleepingComputer and Kaspersky advise users to thoroughly scrutinize soliciting pages before donating and to verify the legitimacy of charitable organizations before giving.

Citrix has issued a warning to administrators to immediately secure NetScaler ADC and Gateway appliances against attacks exploiting CVE-2023-4966, highly rated as 9.4/10 severity. The vulnerability is remotely exploitable without user interaction, affecting NetScaler appliances configured as a Gateway (such as VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Cybersecurity firm Mandiant reported that the vulnerability has been exploited as a zero-day since late August 2023, enabling attackers to steal authentication sessions and hijack accounts. It added that compromised sessions can persist even after patching. The exploitation of CVE-2023-4966 has affected government organizations and technology companies infrastructure, indicating that attackers could move laterally across networks, compromising additional accounts. Citrix stated it cannot provide forensic analysis to determine if systems have been compromised, but advised killing all active and persistent sessions. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has also highlighted the urgency of addressing this vulnerability, mandating federal agencies to secure their systems against active exploitation by November 8.

US engineering services provider, BHI Energy, part of Westinghouse Electric Company, discloses details about a data breach it suffered in an attack by the Akira ransomware group. The breach, which occurred on May 30, 2023, began with stolen VPN credentials from a third-party contractor which were used to gain access to BHI's internal network and perform a week-long reconnaissance. The operators subsequently returned to the network on June 16, stealing up to 690 GB of data, including 767k files and BHI's Windows Active Directory database. After extracting all possible data, the threat actors deployed the ransomware on June 29, leading to the discovery of the compromise by BHI's IT team. BHI engaged external experts and informed law enforcement while removing the threat actor's footprint from their network by July 7. Data recovery was possible as the attackers didn't impact their cloud backup solution. BHI restored systems without paying any ransom and further strengthened its security measures. Although no leaked data from BHI is currently on the dark web, stolen files include personal information of employees. The company has offered two-year identity theft protection service to address concerns.

Spanish law enforcement has arrested 34 people in connection with a myriad of sophisticated cyber and financial scams, resulting in stolen data from over four million people. These arrests followed 16 targeted police operations in numerous Spanish cities, leading to the confiscation of firearms, high-end cars, cash, and the uncovering of a database with the stolen data. The arrested individuals are suspected of participating in email and SMS phishing scams, impersonating delivery services and utility companies to dupe victims. In some instances, they allegedly executed 'son in distress' tactics, making parents believe their child was in imminent danger to extort money. They also leveraged an inside position within an international tech firm to redirect merchandise to their control and infiltrated the databases of financial institutions to illicitly credit money into customer accounts, making victims believe it was a bank error that needed repaying. The group’s activities led to an estimated illicit profit of €3,000,000 ($3.2 million), primarily by selling the stolen data to other cybercriminals. The authorities reported proceeds were laundered through crypto asset investment platforms. The leaders of the organized cybercrime group are under arrest, and ongoing efforts are underway to identify more participants and victims.

Cisco has patched two vulnerabilities CVE-2023-20198 and CVE-2023-20273, in IOS XE software that were used to compromise more than 50,000 devices over the past week. The first fixed software release is available from the company’s Software Download Center; the first fixed release available is 17.9.4a. The vulnerabilities are in the web UI of Cisco devices running the IOS XE software. The first vulnerability (CVE-2023-20198) was used for initial device access by exploiting the critical flaw, following which a normal local account was created. CVE-2023-20273 was then used to elevate user privileges and add a malicious script to the file system. Cisco warns that the two vulnerabilities can only be exploited if the web UI (HTTP Server) feature of the device is turned on. Researchers noted a steep drop in the number of Cisco IOS XE hosts hacked using the two vulnerabilities over the weekend. The reasons are unknown, but one theory suggests that the hackers might have issued an update to hide their presence.

Microsoft has launched the early access program for its AI-based cybersecurity tool, Security Copilot. The tool is designed to optimise routine security operations and provide vital insights for the security team. The AI assistant will be part of the Microsoft 365 Defender XDR platform and comes with the promise of potentially freeing up 40% of time that is usually spent on routine security tasks. Security Copilot will deliver step-by-step instructions on managing incidents, aiming to make less skilled security analysts more effective and make security teams work faster. The AI assistance tool can summarise security incidents into reports automatically, reducing the manual work required in triaging an incident and writing up a report. The tool also has a robust functionality in crafting queries in Kusto Query Language (KQL) for threat hunting. Part of the early access programme includes access to Microsoft Defender Threat Intelligence and its API. Additional capabilities include vulnerability and patch management support, by identifying the endpoints that need securing. The tool will also let third-party Managed Security Service Providers (MSSPs) utilise its AI tech even if they do not have access themselves. While a specific release date for Security Copilot has not been revealed, Microsoft states that there are still spaces available in the early access program for qualified organisations.