Daily Brief

The Computer Emergency Response Team of Ukraine (CERT-UA) has reported interference with at least 11 telecommunications service providers in the country between May and September 2023. The cyberattacks led to service interruptions for customers, with threat actors initiating them with an initial reconnaissance phase to identify potential network entry points at the telecom companies. The threat actors are employing specialized programs called POEMGATE and POSEIDON for credential theft and remote control of infected hosts, and using a utility named WHITECAT to erase the forensic trail. Unauthorized access to the telecom providers' networks is achieved via VPN accounts lacking multi-factor authentication protection and then attempts are made to disable network and server equipment. CERT-UA stated that legitimate compromised email addresses are subsequently used to deliver SmokeLoader malware to PCs, with the intent to steal authentication data or alter financial documents in remote banking systems for unauthorized payments. CERT-UA noted that the reconnaissance and exploitation activities are being carried out from previously compromised servers located within the Ukrainian segment of the internet, using Dante, SOCKS5, and other proxy servers to route traffic. This report follows an earlier statement from CERT-UA about four observed phishing waves conducted by a hacking group it tracks as UAC-0006, also utilizing SmokeLoader malware.

Cisco has alerted about a critical, unpatched zero-day vulnerability (CVE-2023-20198) in the IOS XE software, actively exploited by an unidentified attacker. The flaw is rooted in the web user interface feature and is rated 10.0 in severity on the CVSS scoring system. It affects enterprise networking gear that have the Web UI feature enabled and exposed to the internet or untrusted networks. The flaw allows a remote, unauthenticated attacker to create an account with privileged access and take control of the affected system. It affects both physical and virtual devices with the HTTP or HTTPS server feature enabled. Malicious activity was first detected on a customer device in September 2023 when a local user account was created from a suspicious IP address. More unauthorized activity through a different IP address was noted in October 2023, followed by the deployment of a Lua-based implant. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory and added the flaw to its Known Exploited Vulnerabilities catalog. As a mitigation measure, Cisco recommends disabling the HTTP server feature on internet-facing systems. While the implanted backdoor is not persistent, the rogue privileged accounts created by the attacker continue to remain active. The threat actor's identity remains undetermined at this stage.

Imminent changes to cyber security regulations in the US and Europe are requiring that both public and private sector organisations ensure compliance. The new Securities Exchange Commission mandate will be enforced from 18 December, making it essential for organisations to report any cyber incidents and present a Cyber Report detailing their cyber health. The US Department of Defense (DoD) 8140.3 directive, which will be enforced by February 2024, specifies that anyone working within the DoD validate their cyber skill set. The European Union NIS II Directive requires Critical Sector Organizations operating in member states to take appropriate security measures and notify relevant national authorities of serious incidents by 17 October 2024. SANS, a security training company, has put together a Cyber Compliance Countdown event to assist organisations in navigating these new regulations. The event will offer advice on incident response plans, training ahead of the new regulations, and analysing new cyber security guidelines.

Discord has become a hub for malicious activity, including distributing malware, data exfiltration, and theft of authentication tokens. A new report by Trellix reveals that Advanced Persistent Threat (APT) hackers have also joined the platform to target critical infrastructure. Malicious actors abuse Discord in three ways: distributing malware through its content delivery network (CDN), modifying the Discord client to steal passwords, and using Discord webhooks to extract data from victims' systems. Over 10,000 malware samples have reportedly used Discord's CDN for delivering second-stage payloads into systems, mainly malware loaders and general loader scripts. Data theft using Discord webhooks has also been noted in 17 malware families. Discord’s features to evade antivirus detection and network monitoring tools, along with its ease of setup and use, have appealed to cybercriminals, making it difficult for the platform to deter misuse. The report also notes that sophisticated threat groups have started using Discord, blending their activities amongst others, making it nearly impossible to track and attribute their actions. One unidentified group has targeted crucial infrastructure in Ukraine through spear-phishing techniques. The challenges posed by the platform's scale, encrypted data exchange, and the legitimate function of abused features make it difficult for Discord to discern malicious activity. Banning suspect accounts doesn't appear to deter the creation of new ones, suggesting the problem may worsen in the future.

The IT systems of state courts across Kansas remain offline following a "security incident." Impacted systems include the eFiling system, electronic payments system, and case management systems. The state's Supreme Court has issued an administrative order confirming that clerk offices in appellate courts and most district courts (except Johnson County) are offline. Despite these disruptions, the courts remain operational with submissions currently being made in paper format or via fax, as electronic filing and payments cannot be accepted. The Kansas Supreme Court has indicated this measure extends filing deadlines under the applicable rules and statutes. The Office of Judicial Administration is working with experts to investigate the security breach and provide a timeline for system recovery soon. This incident follows another recent alleged cyberattack on First Judicial Circuit state courts in Northwest Florida by the ALPHV (BlackCat) ransomware gang. Florida court authorities confirmed operations remain uninterrupted but are yet to verify ALPHV's claims.

Hackers are currently exploiting a critical vulnerability in WordPress' Royal Elementor Addons and Templates, a widely-used website-building kit. The flaw, labelled as CVE-2023-5360 and rated 9.8 "Critical" under the CVSS v3.1, allows unauthenticated attackers to conduct arbitrary file uploads on vulnerable websites. The hackers are also able to manipulate the allowed file upload list, achieving remote code execution and potentially gaining complete control over a website. WordPress security firms Wordfence and WPScan have recorded thousands of attacks targeting Royal Elementor since August 30, 2023. Most attacks originate from two IP addresses, suggesting only a few threat actors are aware of the exploit. The vendor of the add-on was informed about the flaw on October 3, 2023, and subsequently released an update (version 1.3.79) on October 6, 2023, to patch the vulnerability. Vulnerable users are recommended to update to the latest version as soon as possible, and to perform a website cleanup as the patch does not automatically remove or delete malicious files.

The Ukrainian Computer Emergency Response Team (CERT-UA) reports that Sandworm, a state-sponsored Russian hacking group, has compromised 11 Ukrainian telecom service providers between May and September 2023. The hackers intervened with the communication systems of the targeted telcos, causing service disruptions and possible data breaches. The group has seen increased activity against Ukraine throughout 2023 with techniques involving phishing schemes, Android malware, and data wipers. Sandworm initiates its attacks by performing reconnaissance on a telecom company's networks, looking for insecure ports and unprotected RDP or SSH interfaces. The hackers then utilize several tools to identify possible vulnerabilities in web services that can be exploited to obtain access. The hacking group also deploys proxy servers to make their intrusion less conspicuous. They have also been found using two backdoors namely 'Poemgate' and 'Poseidon,' which help maintain persistent access to compromised systems and facilitate deeper network infiltration. As a part of their final attack stages, the hackers deploy scripts that trigger service disruptions and delete backups to complicate recovery processes. To safeguard their systems, CERT-UA recommends all Ukrainian service providers to follow their guide on thwarting cyber intrusions.

A security incident has forced state courts across Kansas to resort to paper filings, potentially for several weeks, according to a warning from a state judge. The specifics of the incident are currently unclear. The Kansas Supreme Court stated that it was experiencing "network issues", causing it to turn off its eFiling system temporarily to allow for security checks. Various state eFiling systems, including the Protection Order Portal, online marriage applications, and payment processing systems, among others, are all currently affected. The Municipal Court, Probation, and Prosecution divisions in Topeka have also been closed to the public on account of "possible security concerns" with one of the court's systems. With reference to a statement from the Kansas Supreme Court and the city of Topeka, it is currently unknown whether these security concerns are connected to the Kansas Supreme Court's network security issue. One county, Johnson County, is still operating normally as per the Supreme Court's order. Johnson County is the only county not yet scheduled to receive the state's new centralized eCourt system. This incident may involve ransomware attacks, considering the length of the cybersecurity response and the inaccessibility of systems or data. However, no official confirmation has been provided yet.

Cisco's IOS XE Software has a severe zero-day vulnerability (CVE-2023-20198) that is actively exploited in attacks, allowing culprits to gain full control of affected routers. The vulnerability affects devices running the Web User Interface (Web UI) feature with HTTP or HTTPS Server feature enabled. The vulnerability, currently unpatched, enables an attacker to create an account on the compromised device, granting full access and facilitating subsequent unauthorized activity. Cisco's Technical Assistance Center first noticed the attacks on September 28 due to unexpected behaviour on a customer device and found that the illicit activity started on September 18. The attackers used authorized user access from suspicious IP addresses to create local accounts and deploy a malicious implant allowing them to execute arbitrary commands on the system or IOS levels. As a mitigation measure, Cisco strongly advises admins to deactivate the HTTP server feature on internet-facing systems, thereby blocking incoming attacks. To detect the implant on compromised devices, organizations are encouraged to look for unexplained or newly created user accounts as potential indicators of associated malicious activity. Last month, Cisco had warned customers to patch another zero-day vulnerability in their IOS and IOS XE software, indicating an increased focus on these platforms by perpetrators.

Elastic Security Labs have discovered a new backdoor program, called "BLOODALCHEMY," which is being used in cyber attacks against enterprises and government bodies in the Association of Southeast Asian Nations (ASEAN). The backdoor is part of an intrusion set, REF5961, which is likely connected to a China-aligned group. This group is also suspected of launching a separate espionage-focused attack on the Mongolian government. The BLOODALCHEMY malware targets x86 systems and is suggested to be a work in progress due to the limited number of effective commands observed by researchers. The backdoor’s commands have capabilities such as overwriting the malware toolset, launching the malware binary, gathering host information as well as uninstalling and terminating itself. Its persistence is achieved through different techniques, and it features multiple running modes, string encryption techniques for masking data, and additional obfuscation methods. REF5961 contains three additional newly discovered malware families, termed EAGERBEE, RUDEBIRD, and DOWNTOWN, which have also been linked to earlier attacks. The researchers believe that the adversaries behind the intrusion sets are state-sponsored and involved in espionage. Notably, China's state-sponsored cyber campaigns have traditionally centered largely on espionage.

A fake version of the 'RedAlert – Rocket Alerts' app is being used to install spyware on Android devices in Israel. The app is used for notifying Israelis about any incoming rockets targeting the country. The app has seen a surge in interest due to the recent rocket attacks in South Israel. This has been exploited by unknown hackers who have created an identical-looking malicious version of the app with spyware capabilities. The fake version is distributed via the website "redalerts[.]me," created in October 2023. The Android download link on this website leads to the download of an APK file that contains the spyware. The APK file requests additional permissions from victims, such as access to the user's contacts and SMS information. Once granted, this information is encrypted and uploaded to a hardcoded IP address. The app features built-in anti-debug features to protect it against security researchers. The fake app's website is currently offline, but the threat actors are expected to re-emerge with a new domain. To mitigate the risks, users are advised to check the permissions of the app and ensure they have the latest version installed. This version should have security patches that fix vulnerabilities for potential hijacks.

The CISA, FBI, and MS-ISAC have issued warnings urging network admins to immediately patch a critical privilege escalation flaw in Atlassian Confluence servers named CVE-2023-22515. The flaw impacts Confluence Data Center and Server 8.0.0 and later versions. The non-interactive, low-complexity cyber attacks exploiting this flaw have been tracked back to a Chinese-backed threat group, Storm-0062, also known as DarkShadow or Oro0lxy, since September 14, 2023. To mitigate the risk, Atlassian advised customers to upgrade their Confluence instances to one of the fixed versions. Those who could not upgrade were advised to shut down or isolate affected instances from internet access while also checking for indicators of compromise. While cybersecurity firm Greynoise has found that the exploitation of this flaw has been very limited as of now, CISA, FBI, and MS-ISAC expect this to change due to the release of exploit proofs by pentester Valentin Lobstein and Sophee security engineer Owen Gong, alongside published detailed vulnerability insights by Rapid7 researchers. The three organizations further stressed the importance of patching the Confluence servers promptly, given their historical appeal to malicious entities and noting the urgency, underlined by previous campaigns involving Linux botnet malware, crypto miners, and AvosLocker and Cerber2021 ransomware attacks.

Pro-Russian hacking groups are using a known security vulnerability in the WinRAR archiving utility in a phishing operation aiming to gather credentials from affected systems. The vulnerability affects the WinRAR compression software versions prior to 6.23 and is documented as CVE-2023-38831. The attack leverages malicious archive files that contain a booby-trapped PDF file. When this file is clicked, a Windows Batch script is activated, leading to PowerShell commands opening a reverse shell that provides the hacker remote access to the targeted system. The operation also deploys a PowerShell script to steal data, including login credentials, from the Google Chrome and Microsoft Edge browsers, and exfiltrates the captured information via a legitimate web service webhook[.]site. The bug in WinRAR that the hackers are exploiting allows them to execute arbitrary code when a benign file inside a ZIP archive is attempted to be viewed. The bug has been weaponized as a zero-day since April 2023, particularly targeting traders. Google-owned Mandiant recently mapped out Russian nation state actor APT29's swiftly evolving phishing operations targeting diplomatic bodies. APT29's evolving tactics and tradecraft are likely designed to facilitate larger-scale operations and block forensic analysis. Other Russian activity groups have been targeting Ukraine since the war broke out in early 2023, including Turla, which has been deploying the Capibar malware and Kazuar backdoor to conduct espionage attacks on Ukrainian defensive assets.

The Android banking trojan known as SpyNote is spreading via SMS phishing campaigns, tricking users into installing the app by clicking on an embedded link. The malware requests invasive permissions to access call logs, camera, SMS messages, and external storage and is designed to hide its presence from the Android home screen and the Recents screen. SpyNote grants itself additional permissions to record audio and phone calls, log keystrokes, and capture screenshots of the phone via the MediaProjection API. The trojan includes features known as diehard services that resist attempts to terminate it, registering a receiver to restart automatically whenever it's about to be shut down. Users' attempts to uninstall the app through the Settings menu are thwarted by the malware's ability to close the menu screen. Ultimately, victims may have to resort to a factory reset, losing all data on the device, to remove the malicious app. This warning comes as part of a broader advisory on bogus Android apps that pose as system updates to trick users into granting them permissions and steal SMS and banking data.

There has been a significant increase in SaaS security breaches in the past two years with 55% of organizations experiencing incidents such as data leaks, data breaches, ransomware attacks, and malicious applications. Misconfigured security settings continue to be a major route for breaches, contributing to 35% of security incidents. Organizations recognize manual audits and CASB deployments as partial solutions, and about 80% of them plan to use a SaaS Security Posture Management (SSPM) tool like Adaptive Shield for automated configuration and SaaS security monitoring by September 2024. With the adoption of SSPM, organizations are improving their understanding of SaaS app users, recognizing the importance of identity and access governance in SaaS app security. SaaS-to-SaaS access or third-party application integrations have emerged as a substantial attack vector. Despite enhancing workflow, these app integrations often carry significant risks as they request intrusive permission scopes, ranging from read/write access to the ability to delete entire folders and drives of data. Professional delivery of SaaS security information through video series like "SaaS Security on Tap" hosted by Eliana V is becoming an effective way to educate organizations on the evolving threat vectors and the importance of SaaS security management.