Daily Brief

Cybersecurity practices work to protect systems, networks, and data from a variety of threats, thus necessitating active risk management from organizations. The idea of 'risk acceptance' becomes integral in this space, as not all risks can be mitigated due to resource constraints. Risk acceptance involves conscious identification and acceptance of vulnerabilities or threats that are deemed tolerable within the operational context of the company and may vary from accepting the risk forever, accepting it temporarily, transferring it, or eliminating it immediately. Revisiting risk acceptance decisions on a regular basis is crucial due to the dynamic nature of the threat landscape. Instances of data breaches, penetrative tests revealing serious vulnerabilities or the introduction of new systems could trigger immediate re-evaluation of risk acceptance decisions. The article recommends implementation of continuous penetration testing to provide real-time understanding of vulnerabilities and potential consequences, aiding informed decision-making for risk prioritization and mitigation. The representation of agility in cyber risk assessments, characterized by reassessment and adaptation to new information and proactive action against potential threats, is emphasized.

Google has announced the use of passkeys as the default sign-in method for all user accounts, leveraging the passwordless standard developed by the FIDO Alliance. The shift will prompt users to set up passkeys upon next sign-in and will automate when possible the 'skip password' feature in Google Account settings. Passkeys eliminate the need for usernames and passwords, utilising public-key cryptography to authenticate users' access to websites and apps. Each passkey is unique and service-specific, so users will have multiple passkeys correlating with their number of accounts. These passkeys operate exclusively within their respective platforms. The system sends a random challenge to the client during login, prompting the user to verify through biometrics or a PIN, and authentication is confirmed if the resulting signed response matches the correlated public key. The use of passkeys not only simplifies the login process by removing the need for password recall, but also offers better phishing resistance and protection against potential takeover attacks. Other major platforms such as Microsoft, eBay, and Uber have also recently incorporated passkey support to enhance user account security.

Ransomware attackers have significantly reduced the time between gaining an initial foothold in a victim's environment and deploying ransomware to 24 hours in almost two-thirds of cases, according to Secureworks. This dwell time has decreased from 4.5 days in 2022 and 5.5 days the year before. The report indicates this could be due to the cybersecurity industry's improved detection capabilities and the popularity of ransomware-as-a-service (RaaS) model. Variations in dwell time were observed when data exfiltration occurred before ransomware was deployed in double extortion scenarios. However, double extortion events accounted for only 13% of ransomware incidents in the past year. Ransomware attacks are being carried out with less complexity and in greater volumes. This shift is in part due to the RaaS model lowering the barrier to entry for unskilled criminals and the utilization of encryption. Major access vectors facilitating early stages of attacks were vulnerability scanning tools and stolen credentials, which facilitated the initial intrusion in 32% of ransomware attacks over the past year. Malware distributed via phishing emails facilitated 14% of initial intrusions. Secureworks noted that despite hype around AI-style attacks, most successful cyber incidents were due to unpatched infrastructure and lack of basic cyber hygiene.

A critical code injection vulnerability (CVE-2023-3519) in Citrix NetScaler ADC and Gateway devices is being exploited to conduct credential harvesting. In the attack, a PHP-based web shell was deployed using a specially crafted web request, which allowed the appending of custom code to the device's login page. This code, referencing a remote JavaScript file, is designed to capture username and password data and transmit to a remote server. IBM X-Force identified over 600 unique IP addresses hosting modified NetScaler Gateway login pages, most of them based in the US and Europe. The attack appears to be opportunistic, with earliest login page modification recorded on August 11, 2023. It has not been attributed to any specific threat group. The report coincides with Fortinet FortiGuard Labs' discovery of an updated IZ1H9 Mirai-based DDoS campaign, showing increased capacity to quickly exploit recent vulnerabilities. To mitigate threats, experts recommend that organizations promptly apply patches and regularly change default login credentials.

A new security flaw in the libcue library affecting GNOME Linux systems could enable cyber criminals to stage remote code execution (RCE) attacks. The vulnerability, labelled as CVE-2023-43641 and assigned a CVSS score of 8.8, causes memory corruption in libcue, a library for parsing cue sheet files, and affects libcue versions 2.2.1 and prior. Libcue is integrated into Tracker Miners, a search engine tool included by default in GNOME, which is a commonplace target for hackers. The flaw is tied to an out-of-bounds array access in the track_set_index function, and allows threat actors to execute code on the victim's machine by tricking the user into downloading a malicious .cue file. Additional technical information is being held back to allow users time to implement the latest updates. This alert is issued two weeks after details of the high-risk CVE-2023-3420 vulnerability in the Google Chrome V8 JavaScript engine enabled RCE in the web browser.

A fresh Magecart campaign is exploiting the default 404 error pages to conceal malicious code and steal credit card details from users. The campaign targets Magento and WooCommerce sites, with some victims being major companies in the retail and food industries. The malicious code is injected into the websites' first-party resources, either directly on the HTML pages or one of the first-party scripts, making detection harder for security services and external scanners. The campaign executes the attack in parts to further obfuscate its activity, thereby making detection more challenging. It activates the full attack only on specifically targeted pages. Two other techniques used to obfuscate the skimmer code include a malformed HTML image tag's onerror attribute and masquerading as the Meta Pixel code snippet. These techniques can evade static analysis and external scanning. A unique concealment technique used in this campaign is exploiting default error pages by modifying them to hide the skimmer code. The skimmer then overlays a fake payment form to collect user data. This new method of exploiting the default 404 error pages offers Magecart actors further possibilities for better evasion and hiding, and can circumvent Content Security Policy headers and other security measures actively examining network requests on the page.

Researchers have linked an unknown threat actor, termed 'Grayling APT', to several attacks on entities across the IT, biomedical and manufacturing sectors in Taiwan. The attack campaign began in February 2023 and remained active until at least May 2023. Other presumed targets include a Pacific Islands government agency and entities in the US and Vietnam. Grayling APT is notable for its unique DLL side-loading technique, using a custom decryptor to deploy payloads. Its main motive appears to be intelligence gathering. Attack methods include exploiting public-facing infrastructure and using web shells for prolonged access. Grayling APT uses DLL side-loading to introduce various payloads, including Cobalt Strike, NetSpy, and the Havoc framework. No current evidence suggests engagement in data exfiltration, implying a focus on reconnaissance and intelligence gathering. The use of public tools aims to hinder attribution efforts. Their focused targeting of Taiwanese organisations suggests they likely operate from a region holding strategic interest in Taiwan.

A report from tech non-profit, Thorn, highlights an escalating trend in minors taking and sharing explicit images of themselves, leading to increased risks of sexual abuse. The research aligns with the findings of other child safety organizations, with the National Center for Missing and Exploited Children reporting a 329% increase in child sexual abuse material files in the last five years. The issues identified are a potential threat to all platforms that host user-generated content, necessitating advancements in technology capable of combating the growing trend. Hashing and matching technology, which identifies digital fingerprints of known child sexual abuse content, has been highlighted as an efficient method of detection that can limit the spread of this material. Thorn's CSAM detection tool, Safer, offers access to a large database of 29+ million known CSAM hash values, and enables tech companies to share hash lists, further extending the corpus of known CSAM and aiding its disruption. To efface CSAM from the internet, the participation and collaboration of tech companies and NGOs are vital, and Safer has already enabled the identification of over two million pieces of CSAM on client platforms to date.

Google has made passkeys the default sign-in option across all personal Google accounts. Passkeys are linked to specific devices and can simplify sign-ins. They offer a secure and convenient alternative to traditional passwords and may use hardware security keys, PINs, fingerprint scanners, or screen lock patterns for verification. The introduction of passkeys greatly decreases the chance of data breaches and phishing attacks. It also eliminates the requirement for users to remember and manage passwords, thus improving security and accessibility. Passkeys are securely stored in the cloud, allowing for seamless transitions in case of device loss or new device acquisition. This function is compatible with all major web browsers and platforms, including Windows, macOS, iOS, and ChromeOS. Google's transition to passkeys as the default sign-in method is a part of an ongoing trend endorsed by tech giants Microsoft, Apple, and Google to adopt password-less sign-ins, using what are known as FIDO or WebAuthn credentials. Despite this, traditional methods like passwords and 2-Step Verification will still function for Google Accounts.

The Exercise Cyber Star program, conducted by a partnership between the Cyber Security Agency of Singapore (CSA) and the SANS Institute, was commenced on September 25. This week-long annual event aims at enhancing Singapore's response capabilities to cyber attacks in a whole-of-nation context. The latest, fifth edition event attracted over 450 attendees from 11 critical information infrastructure sectors, including aviation, banking and finance, energy, government, healthcare, info-communications, land transport, maritime, media, security and emergency, and water. The program covered a wide range of threats, including ransomware, Distributed Denial of Service (DDoS), Industrial Control Systems (ICS) compromise, and insider threats, followed by technical workshops and hands-on practice sessions. The attendees participated in GRID NetWars, an interactive simulation of a real-world cyber attack, that could target any of the ICS systems in Singapore. The goal was to familiarize participants with the dynamics of various threat scenarios and optimal response actions. SANS APAC Technical Director, Delaney Ng, also hosted a group of 20 young people in co-ordination with Cyber Youth Singapore (CYS), providing advice and insights about cyber security careers, and effective methods for counteracting cyber threats. The program underscored the importance of extensive and continuous training, awareness campaigns, simulated exercises and developing the next generation of cyber security professionals in maintaining the resilience of critical infrastructures in the country against cyber attacks.

D-Link's DAP-X1860 WiFi 6 range extender has been found vulnerable to denial of service (DoS) attacks and remote command injection. The device has issues with parsing SSIDs containing a single tick, allowing attackers to trick the device into executing unintended commands. Attackers within range can set up a bogus WiFi network with a deceptive name including a single tick and a command, causing the device to malfunction or run the inserted command. All processes on the range extender, including those inserted by potential attackers, run with root privileges, posing a potential threat to other connected devices. Despite German research group RedTeam discovering and reporting the flaw to D-Link in May 2023, no response or fix has been provided by the vendor. Users of DAP-X1860 extenders are advised to limit manual network scans, monitor sudden disconnections, and separate IoT devices and range extenders from sensitive devices by placing them on different networks.

The ALPHV ransomware group, also known as BlackCat, has claimed responsibility for a cyberattack on state courts across Northwest Florida, part of the First Judicial Circuit. The gang alleges it has acquired sensitive personal data of employees, including judges. The group claims to possess a comprehensive map of the court's network systems, including local and remote service credentials, and has threatened to leak stolen information to force a negotiation. Following the cyberattack on October 2nd, the Florida circuit court announced an investigation, warning of likely disruptions to court operations across Escambia, Okaloosa, Santa Rosa, and Walton counties. Court authorities stated all facilities continue to operate without disruptions. The ALPHV gang, believed to be a rebrand of DarkSide/BlackMatter, first emerged in November 2021. The operation is known for rapid adaptation and refinement of their tactics. The FBI has issued warnings about the group, citing their success in over 60 breaches worldwide between November 2021 and March 2022.

The tracker miners file metadata indexer, which is an integral part of GNOME versions on Linux systems, is vulnerable to memory corruption via malicious .CUE files. GNOME desktop environment, a widely used software across several Linux distributions, including Debian, Ubuntu, Fedora, Red Hat Enterprise, and SUSE Linux Enterprise, is at risk of malicious code execution. The vulnerable flaw, designated as CVE-2023-43641, can be successfully exploited by an attacker if a user unknowingly downloads a maliciously crafted .CUE file, automatically indexed by Tracker Miners on GNOME. Kevin Backhouse, a GitHub security researcher who discovered the bug, urges users to update their GNOME desktop to fend off any potential attack. Although the proof-of-concept exploits need modifications for each Linux distribution, it has been successfully executed "very reliably" on Ubuntu 23.04 and Fedora 38, making it a potential risk for all GNOME-enabled distributions. System administrators are cautioned to patch their systems and mitigate the risks of this security flaw that could potentially result in code execution on devices running latest releases of widely used Linux distros. Kevin Backhouse has previously discovered several severe Linux security flaws, including a privilege escalation bug and an authentication bypass bug.

Multiple campaigns by Balada Injector compromised more than 17,000 WordPress websites using known vulnerabilities in premium theme plugins last month. The attack campaign exploited the CVE-2023-3169 flaw in the premium themes, Newspaper and Newsmag, affecting potentially 155,500 websites. The malicious operations redirect visitors of the compromised websites to fake tech support pages, fraudulent lottery wins, and push notification scams. The Balada Injector tactic has been active since 2017 and has compromised nearly one million WordPress sites to date. A scan of compromised sites shows that more than half of the successful attacks used the CVE-2023-3169 exploit. Sucuri recommends upgrading the tagDiv Composer plugin to version 4.2 or later to protect against Balada Injector, as well as keeping all themes and plugins updated, removing dormant user accounts, and scanning files for hidden backdoors.

A new Magecart card skimming campaign is hijacking online retailers' 404 error pages to hide malicious code designed to steal customer credit card information. This campaign targets Magento and WooCommerce-hosted sites, with some victims linked to prominent organizations in the food and retail sectors. The '404 Not Found' error page is exploited to conceal and load the code, presenting an innovative concealment technique that hasn't been seen in previous Magecart campaigns. The skimmer loader is either disguised as a Meta Pixel code snippet or hidden within random inline scripts and starts fetching requests to a nonexistent path named 'icons', resulting in a '404 Not Found' error, thus bypassing detection from most security tools. The skimmer code presents a fake form, where visitors are expected to input sensitive information like credit card details, which is then sent to the attackers, giving an impression of a benign image fetch event, thereby evading network traffic monitoring tools. This use of 404 pages underlines the constantly evolving techniques of Magecart actors, making it increasingly difficult for webmasters to locate and remove their malicious code from compromised websites.