Daily Brief

Europol announced the dismantling of the infrastructure supporting the criminal operations of the Ragnar Locker ransomware and the arrest of a key target in France. The agency conducted operations in Czechia, Spain, and Latvia from 16 to 20 October. The key suspect, assumed to be the developer of the Ragnar group, is facing the examining magistrates of the Paris Judicial Court. Five associates of the ransomware gang have reportedly been interviewed in Spain and Latvia. Meanwhile, perpetrators' servers and data leak portal were seized in the Netherlands, Germany, and Sweden. This is the latest coordinated effort against cybercrime involving authorities from multiple countries, including Czechia, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the U.S. Ragnar Locker, which surfaced in December 2019, is notorious for attacks on vital infrastructural entities globally, affecting 168 international companies since 2020. The group used double extortion tactics by demanding high payments for decryption tools and for preventing the release of stolen sensitive data. Accompanying efforts to combat cyber threats include India's nationwide crackdown on suspected tech support scams and cryptocurrency fraud and Ukraine's Cyber Police strike against a Trigona ransomware group member. The continuous combat against ransomware threats includes activities to identify threat actors who are evolving and rebranding under new names. As an example, the Hive group has reemerged as Hunters International.

Okta, an identity services provider, has reported a security incident in which unidentified threat actors gained access to its support case management system using stolen credentials. The malefactors could view files uploaded by certain Okta customers as part of recent support cases. Notably, the support case system is separate from Okta's main provision service, which was unaffected. Okta emphasized that its Auth0/CIC case management system was not impacted, and all affected customers have been notified. Threat actors could access HTTP Archive (HAR) files containing sensitive data, potentially impersonating valid users, though Okta worked with impacted customers to revoke any embedded session tokens. Cloudflare and BeyondTrust were among the customers targeted. The intruder accessed Cloudflare systems on October 18th using a session token extracted from Okta. However, Cloudflare asserts that no customer data or systems were accessed in the attack. BeyondTrust reported the breach to Okta on October 2, 2023, and detected and mediated suspicious activity within 30 minutes, avoiding impacts to its infrastructure or customers. The scale of the attack, along with when it took place and was detected, was not disclosed by Okta. The company manages around 50 billion users with more than 17,000 customers as of March 2023.

Cisco has issued a warning about a zero-day flaw in its IOS XE software that has been used by unidentified threat actors to deploy a malicious Lua-based implant on susceptible devices. The issue, coded as CVE-2023-20273, relates to a privilege escalation flaw in the web UI feature; it is said to have been used alongside another vulnerability (CVE-2023-20198) as part of an exploit chain. The attacker initially exploits CVE-2023-20198 to gain access and create a user-password combination, following which a new local user is used to elevate privilege to root and write the malware to the system. A fix addressing both vulnerabilities has been identified and will be circulated from October 22, 2023; until then, users are advised to disable the HTTP server feature. These vulnerabilities could potentially allow attackers to gain full remote control over the affected system, monitor network traffic, inject and redirect network traffic, and establish a persistent area within the network. As per data from Censys and LeakIX, around 41,000 Cisco devices running the vulnerable IOS XE software are estimated to have been compromised by threat actors using the two security flaws. By October 19, the number of compromised devices dropped to 36,541. The primary targets of this vulnerability are not large corporations but smaller entities and individuals.

Cisco revealed a new, critical zero-day flaw, CVE-2023-20273, that has been actively utilised to deploy harmful implants on compromised IOS XE devices. This exploit comes close after the declaration of another zero-day, CVE-2023-20198. Fixes for both viruses are touted to be available to customers via Cisco's Software Download Centre as of October 22nd. Malicious actors have actively exploited these flaws since at least Sep. 18, accessing IOS XE devices and creating 'cisco_tac_admin' and 'cisco_support'. CVE-2023-20273 in particular is used by attackers to obtain root access, gain complete control over Cisco IOS XE devices, and deploy malicious implants that enable the execution of arbitrary commands on the system. Networking devices that run Cisco IOS XE, which includes enterprise switches, access points, wireless controllers, as well as various routers, are vulnerable. An estimated 146K of these systems are openly exposed to such attacks. While patches are not yet available, administrators can block these attacks by disabling the vulnerable HTTP server feature on all internet-facing systems. Cisco also recommends admins to check for suspicious or new user accounts as potential signs of associated malicious activity. This follows another warning from Cisco last month to patch another zero-day bug, CVE-2023-20109, in their IOS and IOS XE software that was targeted by attackers.

Sandu Diaconu, the Moldovan who allegedly ran the compromised-credential marketplace E-Root, has been extradited from the UK to the US to face trial. Diaconu and another redacted individual alleged operated E-Root, selling access to compromised servers globally from 2015 to 2020. The platform was used to facilitate illegal activities such as ransomware attacks, fraudulent wire transfers and tax fraud. US authorities uncovered over 350,000 compromised credentials listed for sale on E-Root, with victims including individuals and companies in the US and globally. One of the victims was a local government agency in Tampa, Florida. The site used the online payment system Perfect Money to handle transactions and operated a sister website to convert Bitcoin into Perfect Money, to conceal identities. Diaconu and the other unnamed individual associated with E-Root are facing charges including conspiracy to commit access device and computer fraud, wire fraud conspiracy, money laundering, and more. If found guilty, Diaconu could face up to 20 years in prison. E-Root was taken down in 2020 through a joint effort by US and UK law enforcement, marking another success in the worldwide crackdown on cybercrime.

Okta disclosed a breach of its support system using stolen credentials, which enabled the threat actor to view customer files uploaded for recent support cases. Chief Security Officer, David Bradbury, clarified that the breach did not impact Okta's production service or Auth0/CIC case management system. Although no specifics on exposed customer information have been shared, the breached system stored HTTP Archive (HAR) files, which could reveal sensitive data like cookies and session tokens used for account access. The company has revoked session tokens embedded in shared HAR files, advised customers to sanitize their files before sharing and shared indicators of compromise observed. Okta has previously experienced multiple security incidents, such as an admin console breach by Lapsus$, OTP theft by the Scatter Swine group, and source code thefts from both Okta and its owned service provider Auth0. Customers potentially impacted by this recent security incident have been notified, while those not receiving an alert are not affected.

A multi-national law enforcement operation involving authorities from eleven nations has resulted in the arrest of a Ragnar Locker ransomware gang developer. Six additional suspects associated with the ransomware gang were located and heard across France, Spain, Latvia, and the Czech Republic across these raids. The operation also involved raids in multiple locations believed to be connected to other suspects, resulting in nine servers being taken down in the Netherlands, Germany, and Sweden. This is the third operation against the Ragnar Locker ransomware gang, following actions in Ukraine and Canada. The joint action also enabled the seizure of cryptocurrency and the ransomware operation's Tor negotiation and data leak sites. Ragnar Locker, which emerged in late December 2019, targets enterprise victims worldwide and eschews the common Ransomware-as-a-Service model, favoring targeted network breaches via collaboration with external penetration testers. Having attacked 168 international companies since 2020, including the likes of ADATA, Dassault Falcon, and Capcom, the FBI states this ransomware has been deployed on at least 52 organizations' networks across various critical infrastructure sectors in the United States since April 2020.

In an international operation involving multiple countries, a developer connected to the Ragnar Locker ransomware operation was detained in France, and the operation's dark web sites were seized. The operation culminated in a week-long action from 16-20 October, with raids in the Czech Republic, Spain, Latvia and France, and the seizure of nine servers in the Netherlands, Germany and Sweden. Eurojust opened the case in May 2021, facilitating judicial cooperation between the participating countries. Throughout the action, a coordination center was established to enable rapid cooperation. Cryptocurrency seizures also occurred as part of the operation, and the ransomware group's Tor negotiation and data leak sites were seized. This represents the third action taken against the Ragnar Locker ransomware gang; previous operations led to the arrest of suspects in Ukraine and Canada. Not operating as a Ransomware-as-a-Service but instead semi-private, Ragnar Locker has attacked 168 international companies since 2020, including high-profile entities such as ADATA, Dassault Falcon, and Capcom. The FBI reports that the ransomware has been deployed on the networks of at least 52 organizations within numerous critical infrastructure sectors in the U.S. since April 2020.

Researchers have identified three serious remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product. These flaws could allow remote attackers to execute code with system privileges. The flaws were found and reported through Trend Micro’s Zero Day Initiative (ZDI) on June 22. In total, eight vulnerabilities were found in the SolarWinds solution; three of these are considered critical in severity. SolarWinds has addressed all vulnerabilities highlighted in the report and a patch is available in version 2023.2.1 of its Access Rights Manager. Despite the researchers' assessments, SolarWinds did not classify any vulnerabilities as critical, with the highest rating given being 8.8 for high-severity issues.

Google Ads is being exploited in a malvertising campaign by threat actors; they direct users who are searching for popular software such as Notepad++ and PDF converters, to fake landing pages to distribute next-stage payloads. Upon clicking the bogus ads on the search results page, bots and other unnecessary IP addresses are filtered out by showcasing a decoy webpage. Victims of interest are then redirected to a replica software advertisement site while silently fingerprinting their system. Users deemed not of value are directed to the real Notepad++ website, while potential targets are assigned unique, time-sensitive IDs for tracking and download purposes; the final payload is malware that establishes a link to a custom port on a remote domain. A similar campaign has also been detected, targeting users searching for the KeePass password manager with harmful ads, redirecting victims to a domain using Punycode. Useful evasion techniques are bypassing advertisement verification checks enabling threat actors to successfully target particular victims. This sophistication signifies an increasing sophistication in the malvertising field. Several threat actors, including TA569, RogueRaticate, ZPHP, ClearFake, and EtherHiding, are exploiting themes related to fake browser updates to spread malware such as Cobalt Strike, loaders, stealers, and remote access trojans.

Kwik Trip, a US convenience store chain, has confirmed that a cyberattack has been causing ongoing outages to its internal IT systems since October 9, 2023. The attack has resulted in widespread IT system disruptions and has been affecting the company's Rewards program, support, phone, and email systems. The Kwik Rewards loyalty program resumed at select stores and will gradually be reinstated at all locations. Kwik Trip has yet to provide details about the customer personal information stored in affected systems, but has claimed they have found no evidence of attackers accessing customer payment details. The company has mobilised third-party cybersecurity experts to assist in the mitigation efforts and investigate the nature and extent of the breach. The convenience store chain operates over 800 stores and gas stations across the north-central region of the US and has a workforce of over 35,000 employees.

Vietnamese cyber actors are suspected to be behind a series of attacks using DarkGate commodity malware, primarily targeting entities in the UK, the US, and India; Ducktail stealer is another malware associated with these actors. Cybersecurity firm WithSecure reports that there has been an increase in campaigns using the DarkGate malware, driven by the developer's decision to rent the malware to other threat actors. Overlapping tools, campaigns, and malware indicate the existence of an active cybercrime marketplace where threat actors can obtain and utilize multiple different tools for a single purpose. The tactics, techniques, and procedures utilized by the Vietnamese actors include delivering DarkGate through AutoIt scripts fetched via phishing emails or messages on Skype or Microsoft Teams. The initial infection vector in a recent attack was a LinkedIn message that redirected the receiver to a file on Google Drive, a method commonly used by Ducktail actors. DarkGate has the capabilities of a remote access trojan (RAT) and can steal information and establish a backdoor for accessing compromised hosts. Multiple tools used in the same campaign could potentially obscure the true extent of the activity from purely malware-based analysis.

Cybersecurity firm WithSecure has observed a threat actor utilizing fake LinkedIn posts and messages about a position at hardware maker Corsair to distribute info-stealing malwares such as DarkGate and RedLine. The threat actor is associated with Vietnamese cybercriminal groups responsible for the 'Ducktail' campaigns, which aim to steal Facebook business accounts for malvertising or resale. Since its creator started selling access to DarkGate in June 2023, the malware has been used in phishing attacks via Microsoft Teams and has been spread through compromised Skype accounts. Main targets of these malicious activities are users located in the U.S., U.K., and India, particularly those in social media management positions with likely access to Facebook business accounts. Victims are tricked into downloading a malicious file containing a VBS script from a URL that redirects to Google Drive or Dropbox. WithSecure's analysis links these activities to RedLine stealer distribution, as the malware attempts to uninstall security products from the compromised system 30 seconds after installation. To help organizations protect against this threat, WithSecure has published a list of indicators of compromise, including IP addresses, URLs, file metadata, and names of archives.

Cybersecurity professionals need to fully understand the role of cybersecurity in the evolution of Internet of Things (IoT) technology to realize its full potential. The security of IoT needs to be integrated into the design and development stages to address its related risks and vulnerabilities. IoT adoption has not scaled quickly due to the traditional “build it first and cyber security will follow” mentality, causing hesitation among industries due to the cost of implementing an unsecure system. Cyber security deficiencies were a major concern for industries adopting IoT, with 40% of firms saying they would raise their IoT budget if cyber security issues were solved. A unified decision-making structure, similar to the relationship created between applications development and design teams and cyber security operations, is recommended to accelerate IoT adoption. Early identification of potential security gaps and vulnerabilities can be achieved through penetration testing and attack surface management. The market value for IoT suppliers could reach anywhere between $625 billion to $750 billion if security is managed effectively and further leads to increase in spending.

A new information stealer named ExelaStealer is the latest entrant in the malware landscape, designed to capture sensitive data from compromised Windows systems. ExelaStealer is an open-source infostealer with paid customizations available. It has capabilities to siphon passwords, Discord tokens, credit cards, cookies and session data, keystrokes, screenshots, and clipboard content. The malware is offered for sale via cybercrime forums and a dedicated Telegram channel. It costs $20 a month, $45 for three months, or $120 for a lifetime license, making it an affordable tool for entry-level hackers. The malware is currently only compiled and packaged on a Windows-based system using a builder Python script. Evidence suggests that it is being distributed via an executable that masquerades as a PDF document. Against, the backdrop of rising cybercrime, U.S. cybersecurity and intelligence agencies recently released a joint advisory outlining the phishing techniques used by malicious actors to obtain login credentials and deploy malware.