Daily Brief

A new cyber campaign, named "Stayin' Alive", has been identified since 2021 that specifically targets government organizations and telecommunication service providers in Asia, notably in Kazakhstan, Uzbekistan, Pakistan, and Vietnam, with active operations continuing. The campaign is linked to the Chinese espionage actor known as 'ToddyCat,' who engages in spear-phishing messages carrying various malware loaders and backdoors. These attacks begin with a well-crafted spear-phishing email encouraging the recipient to open a zipped file that contains CurKeep malware which serves as a backdoor to exfiltrate data, execute commands and handle file-based tasks. This campaign uses a variety of custom-made tools, notable ones being the CurLu loader, CurCore, and CurLog loader, each having unique functionalities and infection mechanisms. Check Point has noted that while these tools show no clear code overlaps, they are all found to connect to the same infrastructure, which was previously associated with the Chinese cyber espionage group, ToddyCat. Check Point further suggests that "Stayin' Alive" might be a part of a broader campaign involving yet-to-be-discovered tools and attack methods, indicating the evolving sophistication of this threat actor.

Curl has recently released version 8.4.0 in order to address a high-severity heap buffer overflow bug (CVE-2023-38545) and a low-severity cookie injection flaw (CVE-2023-38546). The greatest concern was the high-severity flaw, which had potential for widespread impact given that curl and libcurl are used in many applications and system libraries. The heap buffer overflow bug is associated with Curl’s SOCKS5 proxy protocol implementation. This flaw refers to the situation wherein more data is written to an allocated memory region than it can hold, causing data overwriting and corruption, leading potentially to application crashes or remote code execution. While the flaw had potential to widely impact curl users, the prerequisites for exploitation are restrictive. Successful exploitation requires the curl client configured to use a SOCKS5 proxy during connections and enable automatic redirections, as well a slow SOCKS5 connection to the remote site. To leverage the bug, an attacker could create a site redirecting a visitor to a long hostname, triggering the overflow bug and crashing the application. While current proof-of-concept exploits prompt curl to crash, leading to a denial of service attack, remote code execution has not been illustrated. The individuals mostly likely to be impacted are cybersecurity researchers and developers given their frequent use of SOCKS5 proxies. Security researcher, Matthew Hickey, advises users to upgrade to the new version for safety, as it is possible for sophisticated exploits that lead to code execution to be developed.

A malicious package in the .NET Framework's package manager, NuGet, was discovered to be deploying the SeroXen remote access trojan (RAT). The suspicious package, named Pathoschild.Stardew.Mod.Build.Config, is a typosquatted variant of a legitimate package and, since its publication, has downloaded 100,000 times. The operator has published six other packages with similar malicious capabilities, with four masquerading as crypto service libraries, and accumulating over 2.1 million downloads. During the installation of the malicious packages, a script is initiated to allow the execution of another script, installing the SeroXen RAT. SeroXen RAT, a commonly used fileless RAT available for purchase by cyber criminals, combines the functionalities of Quasar RAT, the r77 rootkit, and the Windows command-line tool NirCmd. Phylum's report reflects that attackers continue to exploit open-source ecosystems, as additional malicious packages associated with Python Package Index (PyPI) repositories were discovered, masquerading as legitimate offerings from various cloud service providers. These additional packages aim to steal sensitive cloud credentials, demonstrating the attacker’s strategy of preserving the original functionality of packages to make the malicious code difficult to detect.

The Everest ransomware group is thought to be transitioning from ransomware to acting as an initial access broker (IAB), offering a 'good percentage' of profits from successful attacks to insiders who assist with their initial intrusion into corporate networks. The group is specifically seeking access to organizations based in the U.S., Canada, and Europe via a variety of methods including TeamViewer, AnyDesk, and RDP. Everest's change in tactics could be to avoid law enforcement crackdowns, as seen with other ransomware gangs like Hive and REvil, as well as to adapt to changes in personnel within the group. Everest has fluctuated between ransomware and IAB activity in the past. The move to directly recruit insiders could potentially lead to greater profits and reduce dependency on other IABs. The effort to recruit insiders as part of cyber attacks is not new and has been used by other cybercriminal groups. A 2022 survey revealed that 65% of corporate executives had been approached by ransomware criminals to facilitate network access. Everest's potential success in this strategy will likely hinge on its ability to vet respondents to its ads and depends on the willingness of potential insiders, a pool that is likely small in most organizations.

Two subsidiaries of Danish hosting company CloudNordic were attacked by ransomware in August 2023, resulting in the loss of all customer data, which was unrecoverable even from backup servers. CloudNordic reportedly chose not to pay the ransom demand, however, this might not have guaranteed recovery of the data. Traditional backup and data resilience methods can be insufficient in the event of advanced ransomware attacks as malicious actors often easily manage to deactivate backup routines, leaving organizations vulnerable. Zerto, a Hewlett Packard Enterprise company, offers a solution called Continuous Data Protection (CDP) technology that includes built-in ransomware resilience. This technology is designed to rapidly detect and respond to data being maliciously encrypted, allowing for quick rollback to clean restore points before infection. Zerto's Cyber Resilience Vault is an isolated and air-gapped system designed to handle serious attacks where ransomware infects main production and backup platforms, offering no point of compromise for attackers. Traditional backup methods proved to be insufficient for textile manufacturer TenCate Protective Fabrics who, after falling victim to the CryptoLocker ransomware, lost 12 hours of data despite having backups in place. By contrast, when also using Zerto's CDP technology, potential losses from a second attack were restricted to just ten seconds of data. The effectiveness of continuous data protection in combating ransomware attacks highlights the need for more robust, dedicated cyber recovery solutions in addition to traditional backups.

Shadow PC, a cloud gaming service, has alerted customers to a recent data breach that exposed the personal information of its users. The breach came as a result of a successful social engineering attack that targeted one of Shadow PC's employees. A malicious actor sent malware disguised as a game on the Steam platform to an acquaintance of an employee, which was then downloaded. The malware stole an authentication cookie, allowing the attackers to log into the management interface of one of the company's software-as-a-service providers. Data stolen included full names, DoBs, email addresses, billing addresses, and credit card expiration dates. The company confirmed no passwords or sensitive payment information was accessed. Since the breach, Shadow PC has implemented security measures to prevent similar incidents from happening in the future and has revoked the stolen authentication cookie, effectively blocking the hacker's access. A cybercriminal purportedly behind the breach has claimed on a forum to be selling the stolen data of over 500,000 customers. However, this claim hasn’t been independently verified.

Threat actors are leveraging IP addresses that have been transformed into hexadecimal notation to infiltrate poorly managed Linux SSH servers in order to deploy the DDoS malware, ShellBot. The malware, also known as PerlBot, is used to breach servers with weak SSH credentials by means of dictionary attacks, enabling the staging of DDoS attacks and the delivery of cryptocurrency miners. Recent attacks involving ShellBot have been seen to install the malware using hexadecimal IP addresses in an attempt to evade URL-based detection signatures. ShellBot uses the IRC protocol to communicate with a command-and-control server and continues to be used in steady attacks against Linux systems. It's recommended for users to switch to and regularly update strong passwords to prevent brute-force and dictionary attacks. ASEC also revealed that attackers are weaponizing abnormal certificates with unusually long strings for Subject Name and Issuer Name fields to distribute malware such as Lumma Stealer and a variant of RedLine Stealer. These types of malware are primarily distributed via malicious pages that are easily accessible through search engines, posing a threat to a wide range of users.

Simpson Manufacturing, a US-based construction supplies provider, has reported a cyberattack on its IT infrastructure systems on October 10, 2023, which caused disruptions and taken some systems offline. The company, which yields a market capitalization of $6.1 billion and has global operations, is still dealing with ongoing disruptions and it is suspected that a possible ransomware infection might be involved. The investigation to understand the nature and scope of the incident is ongoing, with third-party cybersecurity specialists roped in to aid the probe and recovery efforts. Although the construction industry was long considered immune to cyberattacks, the perception has shifted, with the sector being one of the most impacted by data security incidents, according to a 2021 report by the Association of General Construction of America. The report also highlighted that cyber criminals see the construction industry as a lucrative target due to it lacking robust data security and privacy measures and carrying a substantial amount of digitally stored confidential information. Advanced technologies becoming more commonplace in the construction industry increase the sector's vulnerability if appropriate data security and privacy risk assessments and controls are not in place.

Microsoft Defender for Endpoint's user containment feature successfully detected and stopped a large-scale Akira ransomware attack on an undisclosed industrial organization in June 2023. The ransomware operators, known as Storm-1567, used devices not onboarded to Microsoft Defender as a means of defense evasion. They also conducted reconnaissance and lateral movement activities before initiating the encryption using a compromised user account. The recent attack disruption capability of Defender for Endpoint has the ability to prevent any compromised accounts from accessing other resources within a network, limiting the perpetrators’ ability to move laterally. The purpose of this feature is to disrupt all inbound and outbound communication, and prevent human-operated attacks from infiltrating additional devices within the network. Microsoft stated that the feature also disrupted an attack attempt on a medical research lab in August 2023, where the attacker tried to reset the password for a default domain administrator account. Microsoft emphasized the criticality of preventing compromise of high privileged user accounts that could provide attackers with potential access to the network's Active Directory, subverting conventional security measures.

Generative AI innovations, such as ChatGPT, present a new risk for data exposure if employees inadvertently insert sensitive information into these applications. Traditional Data Loss Prevention (DLP) solutions, designed to protect file-based data, are ill-equipped to manage these risks. A new report by LayerX suggests browser security platforms as a solution. The platforms enable real-time monitoring and governance of web sessions, thereby protecting sensitive data. Unlike DLP solutions, browser security platforms offer real-time visibility and enforcement capabilities on live web sessions, ensuring complete oversight on user input into platforms like ChatGPT. The report suggests a three-tiered approach to security, allowing organizations to block, alert, or allow certain actions, facilitating a customized data protection strategy. As per the report, browser security platforms are the only solutions presently adept at mitigating data exposure risks in AI-driven text generators.

Cybersecurity investigators have discovered a complex new form of malware that disguises itself as a WordPress plugin. The malware is capable of clandestinely creating administrator accounts and taking control of compromised sites. Named by Wordfence, the plugin is sophisticated and professionally designed, including features that prevent it from being listed among activated plugins. The malware provides attackers the ability to remotely activate and deactivate plugins on a compromised site, as well as create rogue admin accounts with preset, hard-coded credentials. Functions of the malware also include the ability to remotely activate malicious actions, modify posts and page content, inject spam links or buttons, and manipulate search engine crawlers. The researchers noted that the scale of the attacks and the initial intrusion vector used to compromise the sites are currently unknown. Sucuri stated that over 17,000 WordPress websites were compromised in September 2023, with Balada Injector malware being used to add malicious plugins and create unauthorised blog administrators.

HM government has collaborated with SANS to offer the Upskill in Cyber programme to train cybersecurity professionals. The programme, launched earlier this year, offers intensive, accelerated trainings designed to help graduates acquire necessary skills to launch their cybersecurity careers. The current year saw a record number of applications, 4,600 in total, for the programme, with only the top 7% chosen based on aptitude-based assessments. Graduates complete crucial cybersecurity certifications, such as the GIAC Foundational Cyber Security Technologies and GIAC Security Essentials Certifications. The Upskill in Cyber programme takes responsibility for connecting graduates with local companies, contributing to the growth and success of the UK's cybersecurity industry. Companies such as e2e-assure that have hired talent from the Upskill in Cyber programme have reported positive benefits, including increased recognition and trust within the industry. Further information about the programme and hiring graduates can be found through email contact and on the programme's official website.

An ongoing cyber campaign has been targeting high-profile Asian government and telecom entities since 2021. The countries affected include Vietnam, Uzbekistan, Pakistan, and Kazakhstan. Cybersecurity company Check Point, which has labelled the campaign as 'Stayin' Alive', reports the attackers deploy basic backdoors and loaders to deliver further malware. The campaign's attack chain begins with a spear-phishing email carrying a ZIP file attachment that leverages DLL side-loading to install a backdoor called CurKeep. The campaign's infrastructure shares overlaps with ToddyCat, a China-linked threat actor known for attacking government and military agencies in Europe and Asia since December 2020. Nonetheless, there is no conclusive evidence linking the two. The attackers employ a continually changing collection of loader variants able to execute remote commands and launch new processes, along with a passive implant that accepts remote connections. The increasingly common use of disposable loaders and downloaders, as observed in the campaign, makes detection and attribution more challenging due to their regular replacement and potential creation from scratch.

Developers have found two major security flaws in the Curl data transfer library and have released patches to address them. The more serious flaw, designated CVE-2023-38545, could potentially result in code execution. It affects libcurl versions 7.65.0 to 8.3.0. It is caused by a bug in a local variable during a slow SOCKS5 proxy handshake. Both the flaws could theoretically be exploited without the need for a denial-of-service attack via an overflow triggering by a malicious HTTPS server redirecting to a specific URL. Notably, experts have speculated that the vulnerability will be exploited for remote code execution in live environments. However, it is noted that the specific pre-conditions required for a machine to be vulnerable are more restrictive than initially believed. The second flaw allows an attacker to insert cookies into a running program using libcurl in certain instances. Affected versions for this vulnerability are from 7.9.1 to 8.3.0. Patches for both the vulnerabilities are included in the version 8.4.0 which was released on October 11, 2023. Even with the patches, the developer has commented that these flaws would not have been possible if Curl had been written in a memory-safe language instead of C, but there are no plans to port Curl to a different language.

A new malware has been discovered that creates a rogue admin on WordPress sites, allowing the threat actors to control the site's activity. The malware poses as a legitimate caching plugin to target WordPress sites, with a variety of functions that let it manage plugins, replace content, or redirect certain users to malicious locations. The malicious plugin hides itself from active plugins list on the compromised websites and excludes itself during manual inspections. Cybersecurity firm Defiant, the makers of the Wordfence security plugin for WordPress, discovered this malware in July. The firm has released a detection signature for its users of the free version of Wordfence and added a firewall rule to protect premium users. Defiant has not yet determined the initial access vector that was used to compromise WordPress sites, however, common methods include stolen credentials, brute-forcing passwords, or exploiting a vulnerability in existing plugins or themes.