Daily Brief

Microsoft’s Visual Studio integrated development environment (IDE) has been found to have vulnerabilities allowing for a single-click remote code execution (RCE) exploit. The exploit was developed by Zhiniang Peng, principal security researcher and chief architect of security at Sangfor; it targets the default implementation of Visual Studio's "trusted locations" feature. Lowering the bar for a successful attack, this targetted feature is not enabled by default, thereby exposing unaware users to security risk. The issue remains unaddressed by Microsoft, which does not consider this to be a security vulnerability. Microsoft asserts that downloading and opening a project from platforms such as GitHub is inherently insecure. The particular attack, developed by Peng, is deceptive as it involves use of a .suo binary file which is not displayed by default in a project’s file explorer and is hard to read. Despite the clear demonstration of the exploit, Microsoft persisted in its stance that the issue does not constitute a "true" vulnerability and hence won't be patched. Peng further highlighted that another security feature, Mark of the Web (MOTW), isn't adhered to in Visual Studio, and solution (.sln) files can be opened without any warnings, making it easy to bypass protections.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released further information about security vulnerabilities and misconfigurations that ransomware attackers exploit, which will assist critical infrastructure organizations in countering such assaults. CISA's Ransomware Vulnerability Warning Pilot program, launched in January 2021, has identified and shared details on more than 800 susceptible systems with internet-accessible vulnerabilities often exploited by different ransomware operations. Recognising the potential lack of awareness of ransomware threat actors exploiting vulnerabilities within their networks, CISA made this information available to all organizations through the Known Exploited Vulnerabilities (KEV) Catalogue. As a companion resource, CISA has created the Misconfigurations and Weaknesses list, detailing oversights known to be used in ransomware attacks. CISA's efforts are in response to increasing ransomware threats that have targeted critical infrastructure and US government agencies. Measures taken to combat these threats include the launch of the Ransomware Readiness Assessment, introduced in June 2021, and guidance intended to help prevent data breaches resulting from ransomware incidents. CISA has also formed an alliance with the private sector, known as the Joint Cyber Defense Collaborative, aiming to protect US infrastructure from ransomware and other cyber threats. Additionally, the agency has launched StopRansomware.gov, a dedicated site for offering information on mitigating ransomware attacks.

The EU Cyber Resilience Act (CRA) has raised concerns among open source developers due to perceived stringent regulations that may hinder software development. The CRA, approved on July 13, 2023, imposes stringent cybersecurity criteria on all applications and gadgets sold in the EU. It requires software creators, including individual developers, to rectify security flaws and regularly update and validate their products. Even non-EU resident developers distributing software via the internet could be liable for CRA penalties, with the potential for significant fines. Non-profit foundations and private companies developing open source software would also need to comply with CRA regulations. The CRA may see amendments to potentially exclude some open source projects with a "fully decentralized development model". It is feared that the complexity of CRA compliance may be too much for individual developers and small or medium-sized businesses to handle. The Linux Foundation Europe has encouraged concerned developers to act swiftly against this legislation, providing suggestions on available courses of action.

A new version of the RomCom RAT malware, known as PEAPOD, is being used in a cyberattack campaign targeting European Union military personnel and political leaders involved in gender equality initiatives. The malware is typically distributed through highly targeted spear-phishing emails and decoy online advertisements, tricking victims into visiting counterfeit sites hosting trojanized applications. The campaign is reportedly run by a group tracked under the name Void Rabisu, which conducts both financially-motivated and espionage attacks. The group has tended to focus on Ukraine and nations supporting Ukraine in its conflict with Russia. Microsoft had previously implicated Void Rabisu in the exploitation of a remote code execution flaw in Office and Windows HTML. The updated version of the RomCom RAT malware, PEAPOD, interacts with a command-and-control server to execute operations on the targeted system, and includes new defense evasion techniques for more sophisticated attacks. The latest attacks in August 2023 have delivered an updated, slimmed-down version of the malware via a decoy website, which hosts an executable file that appears to contain photos from a Women Political Leaders Summit. The file instead drops 56 decoy photos onto the targeted system and retrieves a DLL file from a remote server, effectively reducing the malware's digital footprint and complicating detection efforts. Trend Micro has speculated that Void Rabisu might be one of the financially motivated criminal groups that have entered cyberespionage activities due to the geopolitical situation caused by the war in Ukraine.

The UK's Financial Conduct Authority (FCA) has fined Equifax over £11 million ($13.6 million) for severe failings in relation to the 2017 data breach, affecting 13.8 million UK citizens. The original fine was much higher (£15,949,200 or $19,428,836) but was reduced due to Equifax's cooperation throughout the investigation and its decision to agree to the penalty early in the proceedings. Equifax's mishandling of the situation, including initially misleading the public about the severity of the breach and failing to promptly notify regulators, was highlighted as preventable by the regulator. FCA emphasizes that financial firms should have robust cybersecurity measures in place to protect personal data and should promptly communicate with regulators in the event of a data breach. Equifax incurred fault due to its Data Processing Agreement with its parent company, Equifax Inc., which outsourced UK consumer data to Equifax Inc's US servers for processing, ultimately resulting in the breach. The breach was caused by an exploited unpatched Apache Struts vulnerability (CVE-2017-5638), which Equifax failed to address due to lackadaisical security practices. The FCA criticized Equifax for inaccurate public statements following the breach and its failure to maintain quality assurance checks for complaints, leading to mishandling. Equifax stated that it has invested over $1.5 billion in a security and technology transformation since the attack and argues that it now boasts one of the industry's most advanced cybersecurity programs.

Researchers from Kaspersky have connected the advanced persistent threat (APT) group, ToddyCat, to a suite of new tools intended for data exfiltration, expanding understanding of their capability and techniques. A follow-up investigation into the group, which was pinpointed last year as behind attacks against high-profile targets in Europe and Asia over a three-year period, unravelled a set of malicious software designed for persistence, file operations, and loading extra payloads at runtime. Kaspersky identified a series of loaders capable of initiating the Ninja Trojan as a second stage, a tool called LoFiSe for locating and gathering files of interest, an uploader for storing stolen data to Dropbox, and Pcexter for transferring archive files to Microsoft OneDrive. ToddyCat also reportedly employs custom scripts for data collection, a passive backdoor that takes commands via UDP packets, Cobalt Strike for post-exploitation phases, and breached domain admin credentials to enable lateral movement to further its spying activities. Check Point, in a related reveal, disclosed that select government and telecom units in Asia have been targeted by an ongoing campaign since 2021, using a broad range of "disposable" malware for avoiding detection and distributing subsequent-stage malware. The said activity is said to utilise infrastructure that overlaps with ToddyCat's.

Ransomware attacks have doubled, with an increasing sophistication and expansion of capabilities. The tactics deployed by ransomware groups have successfully bypassed existing defense strategies. There is a noticeable shift in the ransomware groups' focus to the Healthcare sector, which now accounts for one-fourth of all ransomware attacks, making it one of the top five sectors targeted due to its valuable protected health information (PHI) data. High-income organizations dealing with sensitive data are primary focus of ransomware attacks. Along with Healthcare, Professional Services, IT & ITES, and Construction sectors have all been targeted due to their high net worth and expanded attack surfaces. The US continues to be the most targeted nation by ransomware attacks due to its highly digitized nation status and political significance. The UK, Italy, and Germany follow in the number of attacks received. Despite the advent of newer ransomware groups, LOCKBIT remains a dominant threat with a reported 240 confirmed victims in Q3-2023. Ransomware operators have adopted Rust and GoLang for their operations, making their activities harder to analyze and trace. In response to these developments, organizations are enhancing cybersecurity through measures such as implementing Zero-Trust Architecture and multi-factor authentication, ramping up vulnerability management and implementing thorough Incident Response Planning.

DarkGate malware is escalating attacks, using messaging services like Skype and Microsoft Teams as conduits for infection. The malware initially presents itself as a PDF document, downloading an AutoIt script designed to launch the malware when the 'document' is opened. How the origin accounts of these messaging services are compromised is unclear but it's suspected it occurs via leaked credentials from underground forums, or prior compromise of the parent organization. DarkGate malware can extract sensitive data from browsers, run cryptocurrency mining operations, remotely control infected hosts and download additional payloads like Remcos RAT. Social engineering campaigns are being used to distribute the malware through phishing emails and deceptive SEO practices. The malware is being advertised and rented out as a service on underground forums after years of private use. Majority of the attacks were detected in the Americas, Asia, Middle East, and Africa. Researchers recommend diligent monitoring for external messaging and potential compromised accounts as preventive measures.

The FBI and CISA have released a joint security advisory detailing the escalation of AvosLocker ransomware attacks against the U.S. critical infrastructure sectors. The ransomware, first emerged in 2021, has been reportedly used for compromising organizational networks leveraging legitimate software and open-source remote system administration tools for exfiltration-based data extortion tactics. AvosLocker uses sophisticated techniques to deactivate antivirus protections in Windows, Linux, and VMware ESXi environments, using open-source tools, legitimate utilities and malware for its operations. FBI and CISA have urged the affected organizations to adopt appropriate measures to mitigate the impact of AvosLocker, including application controls, restricting remote desktop services and PowerShell use, requiring phishing-resistant multi-factor authentication, and maintaining offline backups. The escalating threat comes as ransomware attacks in 2023 have seen a major surge, with threat actors deploying ransomware within one day in over 50% of incidents, a drop from the median dwell time of 4.5 days in 2022. In its 2023 Digital Defense Report, Microsoft highlighted that 70% of organizations targeted by human-operated ransomware have fewer than 500 employees and 80-90% of total compromises originate from unmanaged devices. While the rise in ransomware attacks was driven by major threat actors, the emergence of several new active threat groups is also contributing to a significant increase in victim and data leaks.

Security researcher Joshua Rogers has stated that 35 security vulnerabilities remain unpatched in the Squid caching proxy two years after being identified and disclosed to the project's maintainers. Squid is a widely used HTTP web proxy for caching and forwarding by ISPs and website operators. Rogers discovered 55 flaws in Squid's code during a security audit in February 2021. Only 20 of these flaws have been patched to date, while the remaining 35 are still unaddressed. The remaining flaws include issues related to use-after-free, memory leak, cache poisoning, and assertion failure, among others. Rogers has publicly disclosed the issues, including technical details and proofs of concept. Rogers recognises the Squid team's resource limits, noting that most are volunteers and may lack the support needed to promptly resolve these issues. This sparked a discussion about who should be accountable for maintaining and supporting open-source software, leading to calls for vendor support in a recent paper issued by the US National Security Agency and partners. With over 2.5 million Squid instances on the internet, operators of systems running Squid need to reassess whether it's the best solution given the unresolved vulnerabilities.

The US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have shared technical details related to AvosLocker ransomware, updating the list of its tools used in cyberattacks. Attack tools include a blend of open-source utilities, custom PowerShell and batch scripts. Attackers also use legitimate software and open-source code for remote system administration, compromising, and exfiltrating data from enterprise networks. Specifically mentioned in the advisory is a malware called NetMonitor.exe, masquerading as a legitimate process, which enables threat actors to remotely connect to the compromised network. This forms part of AvosLocker methodology. AvosLocker has compromised organizations across multiple critical infrastructure sectors in the US, impacting Windows, Linux, and VMware ESXi environments. Recommended defenses against AvosLocker include application control mechanisms, restrictions for using remote desktop services, implementing multi-factor authentication, and applying the principle of least privileges. The advisory is an addition to previous advice shared in mid-March, which highlighted AvosLocker's exploitation of vulnerabilities in on-premise Microsoft Exchange servers.

Unpatched WS_FTP servers with a critical vulnerability are being targeted in ransomware attacks, according to Sophos X-Ops incident responders. The attackers, claiming to be the Reichsadler Cybercrime Group, attempted to use the LockBit 3.0 builder to deploy ransomware payloads. The group unsuccessfully tried to escalate their privileges using the open-source GodPotato tool. Although they failed to encrypt files, a ransom of $500 was still demanded. The vulnerability, known as CVE-2023-40044, facilitates unauthenticated attackers to execute commands on the underlying operating system via HTTP requests remotely. Updates were released by Progress Software in September to address this vulnerability, but not all servers have been patched. Assetnote security researchers found around 2,900 hosts running WS_FTP, mostly belonging to large enterprises, governments and educational institutions. Any organizations that cannot immediately patch their servers should disable the vulnerable WS_FTP Server Ad Hoc Transfer Module to block incoming attacks. The US Health Department's HC3 has advised the healthcare and public health sectors to patch their servers asap.

Malicious NuGet packages, impersonating crypto wallets, exchanges, and platforms, have been discovered by Phylum researchers and are reported to infect developers with the SeroXen remote access trojan (RAT). NuGet is an open-source package manager and software distribution system, and these packages have been uploaded by a user named 'Disti'. The packages contain an XML file that downloads a malicious obfuscated Windows batch file, and use the official logos of the platforms they impersonate to trick victims. All packages uploaded by Disti are still available for download and the number of downloads, apparently over 2 million, is likely exaggerated to lend credibility to the packages. The packages deploy two PowerShell scripts that download and execute a file from an external URL. This leads to the deployment of the SeroXen RAT, a powerful trojan gaining popularity among cybercriminals due to its low detection rates and capabilities.

Microsoft has initiated a new bug bounty program, focusing on discovering vulnerabilities in its AI-driven Bing experience to strengthen its security. Security researchers worldwide are invited to participate, with rewards for qualifying submissions ranging from $2,000 to $15,000 USD. Besides the issues listed in Microsoft's Vulnerability Severity Classification for AI Systems, other vulnerability types are welcome, excluding a few that are declared 'out of scope'. Microsoft has confirmed that this bounty program is a part of its comprehensive approach to safeguarding its customers against security threats. During a recent bounty year-in-review, Microsoft revealed it paid a total of $13.8 million to 345 security researchers globally, who reported 1,180 vulnerabilities across 17 bug bounty programs. Last year, Microsoft added on-premises Exchange, SharePoint, Skype for Business to its bug bounty program, and increased the top rewards for high-impact security flaws reported through the Microsoft 365 program.

Apple has released security updates for older versions of iPhones and iPads, addressing two zero-day vulnerabilities that have been exploited in attacks. The company has not revealed who reported these issues. The first vulnerability (CVE-2023-42824) concerns a weakness in the XNU kernel leading to privilege escalation, potentially allowing attackers greater access to the victim's device. Apple has addressed this issue with improved checks in updated software versions. The second bug (CVE-2023-5217) involves a heap buffer overflow vulnerability within the VP8 encoding of the libvpx video codec library, which could lead to arbitrary code execution. Google previously patched a similar issue in Chrome, while Microsoft took action for its Edge, Teams, and Skype products. Google’s Threat Analysis Group, renowned for uncovering zero-day exploits in state-backed spyware attacks, credited security researcher Clément Lecigne with discovering CVE-2023-5217. The list of devices affected by these vulnerabilities is wide-ranging, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to update its Known Exploited Vulnerabilities Catalog and instruct federal agencies to defend their systems against these threats. Earlier this year, Apple rectified 18 zero-day vulnerabilities that were being exploited to target iPhones and Macs, demonstrating the company's ongoing efforts to secure its platforms.