Daily Brief

Encrypted messaging app Signal has refuted "viral reports" of an alleged zero-day flaw in its software, stating it found no evidence to support these claims. Despite circulating reports of a zero-day exploit in Signal that could grant complete access to a targeted mobile device, the company remains confident that the claims are invalid. Signal has urged those with legitimate information to report to their official security channels. This controversy arises amidst disclosures that zero-days for infiltrating messaging apps are being sold for a hefty price, making them lucrative for nation-state threat actors. A report from Amnesty International linked spyware attacks against journalists, politicians, and academics in various countries to the Intellexa alliance, a consortium known for developing the Predator malware. A recent report also revealed that commercial surveillance vendors are exploiting the digital advertising ecosystem to globally target and infect mobile devices using ad networks.

Rumors suggesting a zero-day security vulnerability in the application Signal, associated with its 'Generate Link Previews' feature, surfaced online. As alleged, the flaw could potentially lead to a complete device takeover. The instant messaging app Signal, known for its strong encryption techniques, investigated the claims but found no supporting evidence that such vulnerability is real. After the Signal security team examined the allegations, they requested anyone having concrete information about this issue to get in touch immediately. Initially, the news about the flaw spread quickly among the cybersecurity community and online platforms, citing unverified US government (USG) sources. In the absence of solid proof or verified reports, users might prefer to disable their Link Previews feature temporarily as a preventive measure until a formal investigation concludes the allegations are groundless.

The EtherHiding malware campaign has leveraged Binance's Smart Chain (BSC) contracts to host malicious code, marking a new development in cybercriminal tactics. This campaign was discovered by Guardio Labs two months ago and uses compromised WordPress sites to deploy malware such as Amadey, Lumma, and RedLine. The attackers use malicious plugins and public security flaws to breach websites, then inject them with Javascript designed to query the BSC by creating a smart contract tied to an attacker-controlled blockchain address. This process fetches further scripts from a command-and-control server that produce deceptive browser update notices. If a user clicks on the update, they download a malicious executable. Security researchers have flagged the associated blockchain addresses and contracts as part of a phishing scheme, however, due to the decentralized nature of the blockchain, they cannot be taken offline. To protect against such attacks, WordPress users are advised to follow security best practices, update their systems regularly, remove unneeded admin users, and use strong passwords.

The US Securities and Exchange Commission (SEC) is investigating Progress Software after a cyber breach exploited bugs in its MOVEit file transfer software. Progress stated in an SEC 10-Q filing that it had received a subpoena seeking various documents and information relating to the vulnerability. The software firm is also facing 58 class action lawsuits filed by individuals claiming to have been impacted by the data exfiltration from environments of its MOVEit Transfer clients. On top of this, the company has received formal letters from 23 MOVEit customers alleging that the vulnerability has cost them money and some are seeking indemnification. An insurer has also filed a subrogation claim with Progress, seeking recovery for all expenses associated with the MOVEit vulnerability. Domestically and internationally, the firm is cooperating with inquiries from data privacy regulators, state attorneys general, and a federal law enforcement agency who are all investigating the matter. Another exploit in a Progress file transferring application, WS_FTP, was also briefly mentioned in the SEC filing. The firm stated that it had patched this issue.

Streaming platform, Steam is introducing SMS-based user verification to improve security measures against malicious updates and infected game builds. The implementation comes in response to an increasing number of reports regarding compromised Steamworks accounts used to spread malware to players via unauthorized updates. The impacted user base was reported to be in the hundreds. Effective from October 24, 2023, game developers will be required to pass an SMS-based security check prior to updating games on the platform's default release branch. The same SMS procedure will be in place for anyone adding new users to the Steamworks partner group. Despite Valve’s efforts, critics argue the SMS verification process will not fully protect against attacks, as evidenced by an incident where a gaming developer’s credentials were stolen using a malware that infiltrated session tokens. The platform's SMS-based verification is also susceptible to SIM-swap attacks. Critics recommend the implementation of authenticator apps or physical security keys for enhanced security.

The Women Political Leaders (WPL) Summit in Brussels was targeted by 'Void Rabisu' with a lightweight variant of the RomCom backdoor. The campaign used a fake website, which mirrored the WPL website, to trap individuals interested in the summit. According to a report by Trend Micro, the deceptive site linked to a OneDrive folder containing a malware downloader disguised as 'Unpublished Pictures.' The malware variant reportedly utilises a new Transport Layer Security (TLS) enforcement system to make Command and Control (C2) communications more resistant to snooping. Void Rabisu, previously known for opportunistic ransomware attacks, has been utilising a stealthier backdoor and exploiting zero-day vulnerabilities in Microsoft products. This latest attack indicates a shift towards high-level cyberespionage campaigns by Void Rabisu, and Trend Micro has warned that the group may target other large conferences related to special interest groups.

Researchers at the University of South Australia and Charles Sturt University have developed an artificial intelligence (AI) algorithm that can detect and intercept man-in-the-middle (MitM) cyberattacks on unmanned military robots. MitM attacks are sophisticated cyber exploits where data traffic between two parties is intercepted, potentially enabling attackers to intercept or modify transmitted data, or potentially hijack control of robots. Military robot operating systems are particularly susceptible to such attacks due to their highly networked nature, necessitated by their collaborative operation with sensors and controllers communicating via cloud services. The researchers used machine learning techniques to develop an algorithm that can detect these attacks and shut them down within seconds. The algorithm was tested on a replica of a robot used by the U.S. Army and successfully prevented attacks 99% of the time. Advanced versions of this system could extend protection to more complex robotic applications such as unmanned aerial vehicles. The technology works by thoroughly scrutinizing packet data, using a node-based system and a flow-statistic-based system that analyzes metadata from the packet header. The researchers used a convolutional neural network model, which provided high reliability for detection outcomes.

Between July and September, attackers utilized compromised Skype accounts to deliver DarkGate malware via messages containing VBA loader script attachments. The cybercriminals were able to infiltrate the victims' Skype accounts, take control of existing conversation threads, and suitably name the malware files to match the chat context. The exact method of the initial account compromise remains unclear, but Trend Micro conjectures it may be due to leaked credentials on underground forums or a prior compromise of the parent entity. Trend Micro also noticed attempts to deliver the same DarkGate payload through Microsoft Teams in organizations that allow external user messages. The ambitions of the attackers range from complete threat environment penetration to various threats including ransomware and cryptomining, depending on the specific DarkGate variant used. The increased usage of DarkGate malware for initial access into corporate networks since the shutdown of the Qakbot botnet in August underscores the growing influence of this malware-as-a-service operation. While the delivery methods vary, from phishing to malvertising, the surge in DarkGate activity demonstrates the threat actors' determination to adapt their tactics despite disruptions and challenges.

Ubuntu, the popular Linux distribution, has withdrawn its Desktop release 23.10 over hate speech embedded in its Ukrainian translations. The company identified a malicious contributor as the source of the anti-Semitic, homophobic, and xenophobic slurs that were injected using a third-party tool existing outside the Ubuntu Archive. Ubuntu promptly took down the affected images three hours after the release, stating that the issue solely impacts translations shown to users during installation through the Live CD environment in-memory only, without any propagation to the disk. Users upgrading from a previous Ubuntu release are, as a result, not affected. The specific malicious strings were reported to have been appended toward the end of the translations file by a user by the name of "Danilo Negrilo," making them harder to detect. While this incident was restricted to translations, it has raised concerns among users about potential malware attacks, given the dependencies in future Ubuntu releases. Ubuntu has restored the Ukrainian translations to their pre-incident state and is currently conducting a broader audit before making it officially accessible again. For the moment, users can download Ubuntu Desktop 23.10 using the unaffected Legacy installer ISO or upgrade from a previously supported release.

Ubuntu, the most popular Linux distribution, has temporarily taken down its Desktop release 23.10 due to hate speech detected in its Ukrainian language translations. The hate language contained anti-Semitic, homophobic, and xenophobic slurs introduced via a third-party tool external to the Ubuntu Archive. The offensive translations were attributed to a malicious contributor. The problematic release was removed approximately three hours after the issue was flagged. The incident purportedly only affects users who download and install the system afresh, and not those who upgrade from an earlier version. Concerns have been raised about the potential for malware to be introduced into future Ubuntu releases in a similar manner. However, Ubuntu's development team argues the complexities of translations make them more difficult to monitor than code dependencies, which undergo regular security audits. Ubuntu has now revived the Ukrainian translations to their state before the tampering. A broader audit is underway before the system is made officially available again. Meanwhile, users are advised to download the unaffected Ubuntu Desktop Legacy ISO.

Microsoft is planning to phase out the NT LAN Manager (NTLM) in Windows 11 to enhance security through stronger authentication. The company is working on strengthening the Kerberos authentication protocol, which has been used as a default since 2000. Microsoft is introducing two new features to support this change: Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos. NTLM, a suite of security protocols aimed at providing authentication, integrity, and confidentiality to users, has been found to be vulnerable to relay attacks, therefore making it a less secure option. Microsoft is also addressing hard-coded NTLM instances in preparation for the migration to disable NTLM in Windows 11 and encourage the use of Kerberos instead. The changes will be enabled by default and will not require configuration for most scenarios. NTLM will continue to act as a fallback mechanism to maintain compatibility.

Ransomware attacks have intensified, causing severe disruption in standard business operations and data breaches if a ransom is not paid. Among affected are Air Canada, state courts in Northwest Florida, and Simpson Manufacturing. The BianLian group is responsible for the attack on Air Canada, whereas ALPHV claimed the attack on the state courts of Northwest Florida. The attack on Simpson Manufacturing caused the company to shut down its IT systems entirely. However, it remains unconfirmed if it was a ransomware attack. The complete source code for the first version of HelloKitty ransomware has been leaked on a Russian-speaking hacking forum, with claims of developing a more potent version soon. The Spanish airline, Air Europa, experienced a data breach recently, compromising customers' credit card information. Customers have been advised to cancel their cards immediately. The Federal Bureau of Investigation (FBI) has shared AvosLocker ransomware technical details and defense tips, indicating that unpatched WS_FTP servers are the new targets for ransomware attacks. Reports indicate Q3 of 2023 was the most successful quarter ever recorded for ransomware attacks.

Genetic testing provider, 23andMe, has been hit with several class action lawsuits following a data breach that potentially impacted millions of its customers. The breach saw a threat actor leak customer data on cybercrime forums, containing sensitive information such as account IDs, full names, birth dates, DNA profiles, and location details. In response, 23andMe claimed the attackers used credential-stuffing attacks on weakly secured accounts and denied claims of a direct system breach. The company disclosed that the data breach widened due to customers activating an optional feature named 'DNA Relatives,' which connects genetic relatives. 23andMe is currently working with third-party experts and law enforcement authorities to investigate the data breach and plans to inform affected customers individually. The lawsuits criticize 23andMe for its lack of transparency regarding the breach, its inaccurate security measures and for failing to monitor its network for abnormal activities. Plaintiffs are seeking various financial relief, including lifetime credit monitoring and both actual and punitive damages.

Genetic testing service 23andMe faces multiple class-action lawsuits following a significant data breach, potentially impacting millions of customers. The company claims hackers accessed its platform via credential-stuffing attacks on poorly protected accounts. The breach involved the publication of a CSV file on hacker forums featuring data of nearly 1 million Ashkenazi Jews who used 23andMe's services. The disclosed details included users' account IDs, full names, sex, date of birth, DNA profiles, and location details. Despite the original hacker retracting the post and opting to sell the stolen data profiles, other threat actors continued to share the initial data leak across cybercrime communities. The company explained that the breach expanded due to customers activating an optional 'DNA Relatives' feature. 23andMe has promised to individually inform impacted customers and continue investigations with the assistance of law enforcement and third-party experts. The lawsuits, filed in California, criticise 23andMe's lack of adequate network monitoring and proactive security measures, maintaining that the company should have been more alert to cybersecurity threats. The plaintiffs are seeking various financial compensations including restitution, lifetime credit monitoring, and coverage of attorney's fees, among others. The nominal damages are defined at $1,000 and punitive damages at $3,000 per class-action lawsuit member.

Shadow, a French cloud service providing Windows PC gaming among other services, confirmed a data breach due to a social-engineering attack. The theft reportedly exposed customer data. An individual claiming responsibility for the attack is allegedly attempting to sell a database containing information of over 530,000 Shadow customers on a cybercrime forum. Exposed data includes full names, email addresses, birth dates, billing addresses, and credit card expiration dates. However, CEO Eric Sele emphasized that no passwords or sensitive banking data were compromised. Sele provided more details about the attack, stating it began on the Discord platform with the downloading of malware via a game on the Steam platform. From there, the attacker exploited a stolen cookie to access the management interface of one of Shadow's SaaS providers and extracted private customer information. The company has locked down its systems and reinforced security protocols with third-party providers in response to the breach. Sele apologized to customers and asserted Shadow's commitment to transparency.