Daily Brief

Threat actors are targeting internet-exposed Jupyter Notebooks to breach servers and deploy a combination of Linux rootkit, crypto miners, and password-stealing scripts in a campaign dubbed "Qubitstrike". The attackers aim to hijack Linux servers for cryptomining and to steal credentials for cloud services such as AWS and Google Cloud. According to Cado Research, these malware payloads are hosted on codeberg.org a first-time occurrence of this platform being used for malware distribution. Qubitstrike starts its attack by scanning for exposed Jupyter Notebooks, evaluating the CPU for mining capabilities, subsequently searching for credential files to steal and then executing a malicious script with a variety of harmful functions. The Qubitstrike scripts also install the open-source Diamorphine rootkit for Linux, used to hide any running scripts and malware payloads. Additionally, Qubitstrike looks for credentials on the compromised end point, sends them to its operators using Telegram Bot API, renaming and deleting any evidence of the breach from system log files. Review of the attacker's repository on Codeberg exposed another script utilizing a Discord bot for command and control operations as well as data extrication.

TetrisPhantom is a long-running cyber espionage campaign targeting government bodies in the Asia-Pacific (APAC) region by exploiting a type of secure USB drive used for secure data storage and transfer, according to Kaspersky's Q3 2023 APT trends report. The Russian cybersecurity firm identified the ongoing activity early in the year and raised concerns that the campaign could expand globally due to the worldwide use of the secure USB drives under attack. The responsible actors behind the campaign remain unknown but the sophistication of the campaign implicates a nation-state group. The attacks are highly targeted and limited in victim numbers. A notable feature of the campaign is the use of several malware modules to launch commands, gather data, and spread the infection through connected secure USB drive networks. Kaspersky warns that the TartisPhantom campaign includes complex tools and approaches, such as injecting code into a legitimate access management program on the USB drive, which acts as a loader for the malware on new machines. The report also disclosed about a new, unknown Advanced Persistent Threat (APT) actor responsible for several attack sets on government entities, military contractors, universities, and hospitals in Russia via spear-phishing emails carrying malware-laden Microsoft Office documents. These attacks have been codenamed as BadRory by Kaspersky.

The FBI warns of widespread phishing attacks targeting plastic surgery offices across the U.S., where cybercriminals spoof emails and phone numbers, spread malware, and subsequently leak sensitive data to extort money from victims. The criminals exploit networks and steal a variety of sensitive data, including personal identifiable information and intimate photographs taken for medical purposes. The attackers further enhance the data with additional information gleaned from social media platforms and use it as leverage for extortion, threatening to share the data widely if a payment in cryptocurrency is not made. The attackers set up public websites displaying the sensitive information and, in some cases, also share it with the victims' contacts to apply additional pressure. Protective measures suggested by FBI include: increasing social media privacy settings, enabling two-factor authentication for logins, creating complex passwords for all accounts, closely monitoring bank accounts and credit reports, setting up credit report fraud alerts or security freezes, and reporting any breaches to the Internet Crime Complaint Center (IC3). The warning follows a similar FBI public service announcement earlier this month about a rise in 'phantom hacker' scams, particularly targeting senior citizens in the U.S.

A flaw has been discovered in Synology's DiskStation Manager (DSM) that could potentially enable an attacker to decipher an administrator's password and remotely take over the account. The vulnerability, tagged as CVE-2023-2729 and rated 5.9 for severity on the CVSS scoring scale, is due to the use of a weak random number generator for creating the admin password for the network-attached storage (NAS) device. The PRNG, JavaScript Math.random() method used by the software, if manipulated can result in predictable values, reducing the encryption strength and compromising sensitive information and systems. True exploitation of this vulnerability, however, would allow an attacker to predict the generated password and gain access to otherwise restricted functions but would first require leaking the GUIDs and brute-forcing the Math.Random state to crack the admin password. While Synology has addressed this flaw as part of the updates released in June 2023, the danger persists under rare conditions, requiring users to stay alert and conscious. Sharon Brizinov from Claroty, the researcher highlighting this vulnerability, recommended using more secure cryptographic random number algorithms like window.crypto.getRandomValues() method instead of Math.random() for security purposes.

Taiwan-based networking equipment manufacturer D-Link has confirmed a data breach that resulted in the exposure of low-sensitivity and semi-public information. The leaked data originated from the company's outdated D-View 6 system, which was decommissioned in 2015, and the data was mainly used for registration purposes. The confirmation comes after an unauthorized party claimed to have stolen personal data of several government officials in Taiwan and D-Link's D-View network management software source code in a forum post on October 1, 2023. Cybersecurity firm Trend Micro, brought in to investigate the incident, found that the breach compromised roughly 700 outdated records, far less than the millions claimed by the unauthorized party. D-Link believes the incident occurred due to an employee falling victim to a phishing attack and the firm has stated its intent to strengthen its operational security. While precise details about the attack are not disclosed, D-Link reassures its active customers are unlikely to be affected by this breach. D-Link alleges that recent login timestamps in the leaked data were tampered with to make the outdated data appear recent.

Over 1.8 million admin credentials were analyzed by security researchers, they found over 40,000 entries using “admin” as the password, increasing vulnerability to potential cyberattacks. The authentication data was gathered between the months of January and September 2021 through Threat Compass, a threat intelligence solution from cybersecurity company Outpost24. The credentials came from data harvested by information-stealing malware and, although not in plain text, the majority of these could be easily decoded and exploited without implementing complex attack strategies. A potential intruder could gain access to confidential company data, customer tracking, and database operations through these admin portals. Outpost24 advises the use of long, strong, and unique passwords for every account, especially those with access to sensitive resources to enhance security. They also recommend the use of an endpoint and detection response solution, disabling password saving and auto-fill options in web browsers, verifying domains when redirection occurs, and avoidance of cracked software to avert potential attacks.

US convenience store chain, Kwik Trip, hinting at a cyberattack leading to its ongoing IT system disruption. Since October 8th, the company has been dealing with an IT outage that impacted their Rewards Program, support systems, phones, and emails. In a recent statement, Kwik Trip said it had hired third-party security experts to investigate the matter but there is no evidence so far that any data has been stolen. The company’s public-facing retail systems appear to be unaffected by the disruption. Given the incident, Kwik Trip is advising its customers and employees to monitor their credit histories and credit card transactions closely for potentially fraudulent activities. Employees have expressed frustration about the company's lack of transparency in regard to the incident. It is critical to guard against potential phishing attempts via emails claiming to be from Kwik Trip but asking for sensitive information.

Attackers have targeted more than 10,000 Cisco IOS XE devices by exploiting a severe zero-day vulnerability, infecting the devices with malicious implants. Cisco's IOS XE software is included in various products such as enterprise switches, aggregation and industrial routers, wireless controllers, access points, among others. The company noted that systems with the Web User Interface feature and the HTTP or HTTPS Server feature activated are particularly at risk. Threat intelligence firm VulnCheck released a scanner to detect these malicious implants on affected Cisco devices. The firm's CTO, Jacob Baines, stated that the exploit likely allows attackers to monitor network traffic and execute man-in-the-middle attacks. Cisco first identified attacks involving the CVE-2023-20198 zero-day in late September; during these attacks, the perpetrators generated local user accounts and deployed malicious implants. Investigation revealed that the same actor likely conducted these attacks, with more recent actions appearing to establish more persistent access via the implants. Cisco advised administrators to deactivate the vulnerable HTTP server feature on all internet-facing systems until a patch is made available, and to look for newly created user accounts as indicators of possible malicious activity.

Threat actors have leveraged Google Ads to promote a malvertising campaign targeting Notepad++ text editor users for several months, undetected. The attack directs users to fake software websites that distribute malware, potentially including Cobalt Strike, which often precedes serious ransomware attacks. The campaign utilises misleading titles in Google Search adverts to attract users and then redirects them to websites based on their IP. Legitimate targets are redirected to a fraudulent Notepad++ site where, if they click on any of the download links, a system fingerprint check is performed to confirm they are valid targets. The suitable victims are then served an HTA script with a unique ID, which is likely used by attackers to track their infections, however, it is served only once and a second visit results in an error. To avoid falling victim to such attacks, users are advised to skip promoted results when searching for software tools and double-check the official domain.

Amazon has discreetly introduced passkeys, a passwordless login option that provides improved protection against malware and phishing attacks. Passkeys are digital credentials allowing users to utilise biometric controls or PINs associated with their devices such as smartphones, computers, and USB security keys, for website logging in. The new security method decreases the risk of network and data breaches and fights against phishing tactics and info-stealing malware, thus preventing compromise of authentication information. Amazon users can generate a passkey in the Account's Login & Security settings. The user will be prompted to use Windows Hello, a security key, or a mobile device to generate the passkey. The new option allows still for traditional password logging in, but passkeys are safer as they reduce the potential risk of entering one's password on a phishing landing page. However, there are limitations including the inability to manage or name passkeys individually on Amazon's platform, and the failure of passkeys to be usable across Amazon's geographic websites. Other companies increasing their usage of passkeys include Google, Microsoft, WhatsApp, BestBuy, eBay, Paypal, and GoDaddy.

Taiwanese networking equipment manufacturer, D-Link, confirmed a data breach earlier this month. Reportedly, an employee fell prey to a phishing attack, allowing an attacker to access the company's network. The attacker claims to have stolen source code for D-Link's network management software, D-View, along with millions of entries containing customers' and employees' personal information, including names, emails, addresses, phone numbers, account registration dates, and last sign-in dates; records span from 2012 to 2013. Despite the attacker’s claim of three million breached lines of information, D-Link stated that the compromised system only contained about 700 inactive, outdated, and fragmented records. According to D-Link, the server infiltrated was an out-of-date "test lab environment" running an end-of-life D-View 6 system. However, reasons for its ongoing operation, potentially granting internet access despite being decommissioned in 2015, remain unknown. D-Link speculates that the attacker intentionally tampered with login timestamps, creating an illusion of more recent data theft. However, it assured that the majority of its present customers are unlikely to be impacted by this incident.

The Android-based 'SpyNote' malware is being distributed through a false 'IT-alert' public service application, simulating a legitimate service run by the Italian Department of Civil Protection. The fake IT-alert warns of a raised threat of a volcanic eruption, prompting visitors to download the application in order to receive updated information. If clicked from an Android device, the download button initiates the installation of an APK file that deploys the SpyNote malware onto the device, providing attackers access to a range of invasive actions. The malware can also perform overlay injection attacks for stealing user credentials when the user accesses banking, cryptocurrency wallet, and social media applications. SpyNote was first documented in 2022 and its detection saw a significant increase after the source code of a variant, 'CypherRat,' was leaked, leading to creation of custom versions targeting specific banks, as well as masquerading as Google's Play Store and other reputable apps. In response to these threats, users have been advised to refrain from downloading and installing APKs from sources outside of the Google Play Store unless they trust the source explicitly.

Discord has become an attractive target for nation-state hackers targeting critical infrastructure, exploiting its content delivery network (CDN) to host malware and siphon sensitive data. Cybersecurity firm Trellix discovered an artifact targeting Ukrainian infrastructures, though no direct link to a known threat group has been found. The discovered sample is a Microsoft OneNote file, disguised as an email from the non-profit dobro.ua and contains a button that, when clicked, triggers a Visual Basic Script (VBS) which subsequently runs a PowerShell script along with another PowerShell script from GitHub. The final stage involves PowerShell leveraging a Discord webhook to exfiltrate system metadata, with the researchers highlighting the potential future threat of a more sophisticated malware delivery. Thus far, loaders like SmokeLoader, PrivateLoader, and GuLoader have been identified among prevalent malware families utilizing Discord's CDN to download next-stage payload, while families like Mercurial Grabber, Stealerium, Typhon Stealer, and Venom RAT have used Discord webhooks. Discord's abuse streamlines efficiency and adaptability for sophisticated long-term infiltration attempts on networks, posing significant risk to critical infrastructure and sensitive data.

Two security flaws in open-source CasaOS personal cloud software have been identified, allowing attackers to execute arbitrary codes and take control of vulnerable systems. The vulnerabilities, coded as CVE-2023-37265 and CVE-2023-37266 have a high-risk severity score of 9.8 out of a possible 10. Security researcher, Thomas Chauchefoin, noted that the bugs could enable attackers to bypass authentication requirements and gain full access to CasaOS dashboard. CasaOS' support for third-party applications can be misused to run random commands on the system, enabling persistent device access and intrusion into internal networks. The vulnerabilities were responsibly reported and subsequently addressed in version 0.4.4 released by IceWhale on July 14, 2023. Exploit of these flaws would allow attackers to circumvent authentication restrictions and gain administrative privileges on vulnerable systems. The researcher highlighted the risks of relying on identifying IP addresses at the application layer, advising against using them for security decisions due to the potential for manipulation.

The Ponemon Institute reports that 54% of cybersecurity incidents are due to credential theft, making it a significant and continuous threat to organizations. Cybercriminals target credentials as 51% of people reuse their login information across different sites, granting them access to a wider range of information if exploited and potentially leading to more substantial and costly breaches. Despite known risks, people, including 92% of IT leaders according to the HIPPA Journal, continue to reuse passwords, increasing the vulnerability of the systems they use. Specops Software offers a solution with Specops Password Policy with Breached Password Protect, which bars users from utilizing known breached passwords. Specops' solution continuously screens for compromised passwords, alerts users when their password is compromised, and forces a password change at the next login. This allows companies to maintain a rigorous proactive security policy.