Daily Brief

North Korean threat actors, Diamond Sleet and Onyx Sleet, are exploiting a critical security flaw in JetBrains TeamCity (CVE-2023-42793) to breach vulnerable servers, Microsoft has warned. Linked to the notorious Lazarus Group, a nation-state actor from North Korea, these threat actors use different attack paths, one relying on a compromised TeamCity server to deploy a known implant called ForestTiger from a previously compromised legitimate infrastructure. Another attack variant retrieves a malicious DLL that executes a next-stage payload or a remote access trojan (RAT). The Onyx Sleet group exploits the same TeamCity bug to create a new user account, post which it runs several system discovery commands on compromised systems, leading to the deployment of a custom proxy tool, HazyLoad. There have been instances where the attacker, via the newly created account, signs into the compromised device using remote desktop protocol (RDP) and terminates the TeamCity service to prevent other threat actors' access. Notably, the Lazarus group has been engaged in financial crime and espionage attacks, including cryptocurrency heists and supply chain attacks, to fund North Korea's missile program. AhnLab Security Emergency Response Center (ASEC) has detailed Lazarus Group's use of malware families like Volgmer and Scout for backdoor system control, linking the group to yet another campaign known as Operation Dream Magic which involves watering hole attacks. ASEC has further attributed threat actor Kimsuky (or APT43) to fresh spear-phishing attacks using the BabyShark malware to install various remote desktop tools for system commandeering and information exfiltration.

Google Threat Analysis Group (TAG) has identified state-backed threat actors from Russia and China exploiting a security flaw in the WinRAR archiver tool for Windows. The exploited vulnerability, known as CVE-2023-38831, allows attackers to run arbitrary code when a user attempts to view a file within a ZIP archive. The flaw has been actively exploited since at least April 2023. Three separate threat actor clusters have been identified: FROZENBARENTS (aka Sandworm), FROZENLAKE (aka APT28), and ISLANDDREAMS (aka APT40). In one identified phishing attack, Sandworm impersonated a Ukrainian drone warfare training school, distributing a malicious ZIP file exploiting the CVE-2023-38831 to deliver Rhadamanthys malware. APT28 launched an email campaign targeting Ukrainian government organizations, using an email attachment containing the exploit to execute a PowerShell script that steals browser login data. APT40 implemented a phishing campaign targeting Papua New Guinea that resulted in the deployment of a malware called BOXRAT. Additional state-sponsored adversaries such as Konni and Dark Pink have been identified by Knownsec 404 team and NSFOCUS. According to Google TAG researcher, Kate Morgan, the exploitation underscores the effectiveness of utilizing known vulnerabilities, even when patches are available.

Ukrainian Cyber Alliance (UCA) targeted the Trigona ransomware gang's servers, successfully copying and subsequently wiping all data, possibly including decryption keys. The UCA exploited a critical, remotely actionable vulnerability in Confluence Data Center and Server to infiltrate the threat actor's systems, completely under the radar. After a point of panic, where Trigona reacted by changing passwords and taking down public infrastructure, the activists collected all information from the gang's administration, victim panels, blog, data leak site, and internal tools. Beyond the seizure of source code and database records, the UCA also managed to extract the developer environment and cryptocurrency hot wallets. Still, the activists are unsure whether the taken data contains decryption keys but aim to release them if found Following the full sweep of data extraction, the UCA defaced and deleted the ransomware gang's sites, even sharing the key for the administration panel site. UCA claims to have secured three backups with potentially hundreds of gigabytes worth of stolen documents. Starting in 2014, the UCA emerged as a collective of hacktivists aiming to defend Ukraine's cyber landscape against Russian interference. In 2016, it registered as an NGO and has targeted practices supporting Russian activities against Ukraine. The Trigona ransomware operation, identified by this moniker since late October 2021, leveraged the Monero cryptocurrency to negotiate ransom payments with victims. It had previously negotiated ransoms via email without a specific branded name. The well-known activity of the gang has been significantly disrupted by the recent actions of the UCA.

Microsoft's Threat Intelligence team has reported that North Korean hacking groups Lazarus and Andariel are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware. TeamCity, a continuous integration and deployment server, rectified a 9.8/10 vulnerability in September that enabled unauthenticated attackers to remotely execute code. Yet, threat actors have been reportedly using the flaw to infiltrate corporate networks. Lazarus and Andariel's cyber attacks are believed to be an effort to perform software supply chain attacks. In previous operations, both groups have managed to successfully execute such attacks by infiltrating build environments. Once the hackers breach a TeamCity server, they use different attack chains to deploy backdoors and gain persistence on the compromised network. The threat actors ultimately dump credentials from LSASS, likely used to spread laterally on the compromised network. Lazarus group has a history of various espionage, data theft, and financial gain attacks, while Andariel predominantly targets defense and IT services in South Korea, the United States, and India to conduct cyber espionage, data theft, and ransomware attacks. Microsoft has shared technical details and indicators of compromise for all three observed attack chains to aid in analyzing the threat.

A former IT manager for the US Navy, Marquis Hooper, has been sentenced to over five years in jail for obtaining and selling the personal data of US citizens on the dark web. Hooper, along with his wife Natasha Renee Chalk, who is yet to be sentenced, fraudulently gained access to a database containing individuals' personal information by pretending to require it for background checks on Navy personnel. Hooper and Chalk were able to obtain the sensitive information of around 9,000 individuals, which they then proceeded to sell for approximately $160,000 in Bitcoin. The data was often used by the buyers to commit further crimes, such as document forgery and bank fraud. After the original account was suspended due to suspected fraud, Hooper endeavored to gain access to the database again through a co-conspirator, falsifying naval documents to attempt to prove a need for access. Despite these efforts, Hooper was unsuccessful in regaining access to the database. Chalk faces a maximum sentence of 20 years in prison and $250,000 in fines; her sentencing is scheduled for November 20, 2023.

A hacker has leaked an additional 4.1 million 23andMe genetic data profiles belonging to people in Great Britain and Germany on a hacking forum. This comes after earlier this month when data for 1 million Ashkenazi Jews was leaked. The company has blamed credential stuffing attacks for this breach, whereby attackers use weak passwords or credentials exposed in prior breaches to gain unauthorized access. 23andMe asserts that their own systems have not been breached. The impact of the breach was magnified due to the breached user accounts having opted into the 'DNA Relatives' feature, which allowed the hacker to scrape data from millions of other users. The username 'Golem,' believed to be behind the attack, claims the stolen data includes genetic information about the royal family, the Rothschilds, and the Rockefellers. This claim has not been proven. Some of the leaked data from Great Britain has been verified as matching known and public user and genetic information, according to TechCrunch. The hacker, also active on BreachForums, claims to have "hundreds of TBs of data" in their possession, suggesting further such breaches may be imminent. 23andMe is already facing numerous lawsuits alleging a lack of transparency about the breach and inadequate protection of customer data.

Google's Threat Analysis Group (TAG) reported that state-sponsored hackers, particularly the Sandworm, APT28, and APT40 groups from Russia and China, are exploiting a high-severity vulnerability in the WinRAR software. The vulnerability, CVE-2023-38831, has been under active exploitation since at least April 2023, with the hackers using it to execute arbitrary codes on target systems. In September 2023, Sandworm used the vulnerability to launch phishing attacks involving fake invitations to a Ukrainian drone training school, while APT28 targeted Ukrainian users through exploits hosted on servers provided by a free hosting provider. The APT40 group targeted users in Papua New Guinea, establishing persistence on compromised systems using the ISLANDSTAGER and BOXRAT tools. Attacks have also been linked to other groups such as DarkPink and Konni, with instances of exploitation on cryptocurrency and stock trading platforms discovered by Group-IB researchers. While a patch for the vulnerability was released with WinRAR version 6.23 on August 2, 2023, Google's TAG stresses the importance of users actively keeping their software secure and up-to-date due to the high effectiveness of exploits for known vulnerabilities.

Google has introduced real-time scanning to its Play Protect platform to improve detection of polymorphic malware in Android applications, representing a significant step towards enhancing Android users' safety. Google Play Protect, Android's in-built protection system, can now perform on-device scans for malware in real time, using information from 125 billion daily scans. The updated tool also advises users to scan apps that have not been scanned before, extracts behavioral signals from the apps, and sends them for an in-depth code-level analysis of the app's safety. The enhanced Play Protect leverages static and dynamic analysis, heuristics, and machine learning to identify signals indicative of malicious patterns. The use of AI-driven analysis may still leave room for some malicious apps to bypass the system, for instance, by incorporating significant delays before downloading malicious code. The real-time code-level scanning feature has been launched in India and other selected countries and will be rolled out globally in the coming months. Provided as part of Google Play Services, regular updates of the Play Protect platform are independent of the Android version and security patch level, allowing Google to offer up-to-date malware detections without waiting for the monthly Android release.

An advanced version of the MATA malware framework was used in attacks between August 2022 and May 2023 against oil, gas, and defence firms in Eastern Europe. The attacks were initiated via spear-phishing emails that encouraged targets to download malicious executables, which exploited CVE-2021-26411 in Internet Explorer. The MATA framework, which is linked to the Lazarus group (associated with North Korea), consisted of a loader, a main trojan, and an infostealer that allowed persistence in the infected network. The malware widened its reach by exploiting the flaws in security compliance solutions and breaching them, including endpoint detection and response (EDR). The compromised systems were financial software servers connected to various subsidiaries of the target organizations; attackers used the access to distribute malware. The attackers also utilized a new malware module that could infect air-gapped systems using removable storage media and bypass EDR and security tools using publicly available exploits. Cybersecurity firm Kaspersky has identified possible links to Lazarus and to 'Five Eyes' APT groups like Purple, Magenta, and Green Lambert, highlighting the technological sophistication and resourcefulness of the attackers.

Google's Threat Analysis Group (TAG) reports that multiple state-sponsored hacking groups are exploiting a high-severity vulnerability in WinRAR software to gain arbitrary code execution on victims' systems. The WinRAR compression software, used by over 500 million users, has a bug (CVE-2023-38831) which state hackers from several countries, including the Sandworm, APT28, and APT40 groups from Russia and China, are targeting. The WinRAR vulnerability has been actively exploited as a zero-day since April 2023. Threat actors manage to execute code on the victims' systems by tricking them into opening maliciously crafted RAR and ZIP archives containing booby-trapped decoy files. Particular instances of exploitation have targeted cryptocurrency and stock trading forums where threat actors impersonate fellow enthusiasts and share trading strategies to unsuspecting victims. The vulnerability has been patched in WinRAR version 6.23 released on August 2; however, many users remain vulnerable due to not updating their software. Google reinforces the significance of regular updating and patching software, given that exploiting known vulnerabilities remain an effective strategy for cyber attackers.

The Lazarus Group, linked to North Korea, has been using trojanized versions of Virtual Network Computing (VNC) apps to target the defense industry and nuclear engineers in a campaign dubbed Operation Dream Job. The threat actor uses social media to trick job seekers into opening malicious apps for fake interviews, thereby avoiding detection by behavior-based security solutions. Once initiated by the victim, the counterfeit app retrieves further payloads, like the Lazarus Group-produced malware LPEClient, equipped with profiling capabilities for compromised hosts. Targets affected by the campaign include businesses directly involved in defense manufacturing, including radar systems, unmanned aerial vehicles (UAVs), military vehicles, ships, weaponry, and maritime companies. Google-owned Mandiant has reported a noticeable evolution in the adaptability and complexity of North Korean threat activity, with tailored malware developed for different platforms, including Linux and macOS. There has been evidence of overlaps in infrastructure, tooling, and targeting between various North Korean hacking outfits, complicating attribution efforts. This trend indicates a potential consolidation of adversarial activities. Along with this, there's an "increased interest in the development of macOS malware to backdoor platforms of high-value targets within the cryptocurrency and the blockchain industries," as reported by Mandiant.

D-Link, the networking hardware manufacturer, has admitted to a data breach but disputes the reported scale of the intrusion. An alert about the attack emerged on a hacking forum on October 1 where the attacker claimed to be selling 3 million lines of customer data along with D-View source code for $500. D-Link disclosed on October 2 that it had indeed been targeted, but with the help of external investigators, the company concluded that the actual number of stolen records was about 700. It also refuted claims that the data was stolen from the cloud and pointed out that the information had been obtained from a test lab environment of an old D-View 6 system through a phishing attack on an employee. The company believes some of the leaked data, such as last login timestamps, may have been manipulated to appear more recent than they actually are. D-Link did not comment on the hacker's claim that the stolen data included details on Taiwan government officials and D-Link staff. Most of the company's current users are believed to be unaffected by the incident. After learning of the breach, the company immediately blocked all accounts and took the test lab offline. It is committing to regular audits of outdated data and will delete it where necessary to prevent similar incidents.

Cybercrime increased dramatically in 2023, according to Flare, with a 112% increase in data extortion ransomware attacks compared to 2022. A key trend driving this spike is the compromise of enterprise single sign on (SSO) applications through infostealer malware attacks. Infostealer malware, a type of Remote Access Trojan (RAT), steals all credentials, session cookies, and form fill information saved in the victim's browser, leaving little trace on the victim machine. Around one million new stealer logs are distributed every month, with an estimated 3-5% containing credentials and session cookies to corporate IT environments. The messaging app Telegram plays a vital role in the proliferation of stealer logs, being used by threat actors to distribute the malware and for the delivery of fresh logs after successful infection. Single sign-on (SSO) solutions, despite their benefits in streamlining authentication and enforcing multi-factor authentication (MFA), also pose significant risks. In a project analyzing 22 million stealer logs, around 312,855 corporate SSO application domains were found in publicly available stealer logs. Cybercriminals use compromised SSO access to simultaneously compromise multiple services, an appealing vector for those seeking to establish a foothold in an organization’s IT infrastructure which can then be sold to the highest bidder; often ransomware operators or affiliates. Flare offers a solution for detecting and remediating stealer log threats, with a platform that monitors illicit activity across dark web markets, forums, and Telegram channels, and providing threat exposure management to organizations.

An ethical hacker has exploited a bug in a social media platform's URL shortening to take control of a CIA Telegram channel used for receiving intelligence. The hacker, Kevin McSheehan, noticed that the CIA's Telegram URL on the platform was shortened incorrectly, allowing him to register a new handle using the unregistered account name created by the faulty shortening. This vulnerability could have allowed a hostile nation to receive intelligence intended for the CIA by setting up a fake, perceivably legitimate profile. After securing the handle, McSheehan discouraged users from sharing sensitive information and was prepared to return the channel to the US government. The CIA has since altered its profile to display the correct Telegram URL and has not issued any comment on the matter. The social media platform's press office has also declined to comment.

Citrix has warned of active exploitation of a recently disclosed critical security flaw in its NetScaler ADC and Gateway appliances. The vulnerability, identified as CVE-2023-4966 with a CVSS score of 9.4, allows sensitive information exposure and session hijacking, bypassing multi-factor or other strong authentication requirements. Google-owned threat intelligence firm Mandiant has reported zero-day exploitation of the vulnerability in the wild since late August 2023. While patches for the flaw were released in October 2023, session data hijacked before the patch deployment can still be used by threat actors, even after the update. The unidentified threat actor(s) has targeted professional services, technology, and government organizations. Mandiant recommends organizations not only apply the patch but also terminate all active sessions given the active exploitation and critical nature of this vulnerability.