Daily Brief

A new Magecart card skimming campaign is hijacking online retailers' 404 error pages to hide malicious code and steal customers' credit card information. This innovative technique, observed by Akamai Security Intelligence Group, primarily targets Magento and WooCommerce sites, including organizations linked to renowned food and retail sectors. Besides 404 error pages, the hackers also use HTML image tag's 'onerror' attribute and image binary techniques to conceal malicious code. The skimmer loader disguises as a Meta Pixel code snippet or hides within scripts on the compromised checkout web page and fetches non-existent paths. The 404 error returned from these paths contains the malicious code. The skimming code displays a spoofed form to visitors, asking for sensitive information like credit card details. Upon submitting, the information is encoded and sent to the attacker under the guise of an image request URL. Akamai's findings highlight the growing sophistication of Magecart actors, making it increasingly difficult to detect and remove their malicious code from infected websites.

A China-based operation has used a botnet named PEACHPIT to commit ad fraud, leveraging compromised Android and iOS devices. The operation forms part of a larger criminal enterprise named BADBOX. Operatives behind BADBOX sold off-brand mobile and connected TV (CTV) devices laced with the Triada Android malware strain on popular online retail sites, creating a backdoor into the victims' devices. The botnet's apps were found in 227 countries, exploiting 39 apps installed more than 15 million times on Android and iOS devices to carry out ad fraud, data theft, and other illicit activities. PEACHPIT botnet operators also exploited backdoored devices to create phony WhatsApp and Gmail accounts, thereby bypassing bot detection mechanisms. Evidence suggests that the Android devices became compromised through a hardware supply chain attack. BADBOX malware was found across 200 distinct Android device types, indicating the scale of the operation. Risk management firm HUMAN worked with Apple and Google to limit the botnet's operations. However, the threat actors behind the operation are likely adjusting their strategies to circumvent defensive measures.

Ex-US Army Sergeant Joseph Daniel Schmidt was arrested in San Francisco on charges of attempting to deliver and retaining national defense information. His last duty post was at Joint Base Lewis-McChord, and his work fell under the Indo-Pacific Command, covering the Pacific and Indian Ocean region, including China. The Department of Justice (DoJ) claims Schmidt created a Word document titled "Important Information to Share with Chinese Government" and offered to share Top Secret information via a Gmail address linked to his name. Schmidt is alleged to have emailed a Chinese state-owned enterprise, offering a Secret Internet Protocol Routing PKI token, an encryption key for accessing classified US intelligence networks. The DoJ noted Schmidt retired in January 2020 and traveled between China, the US, and Istanbul. He had reportedly been trying to secure employment and a permit to permanently relocate to China. The FBI claims that Schmidt had been told by Hong Kong immigration authorities that he had overstayed in the country in July 2020. Acting US attorney Tessa M Gorman for the Western District of Washington described the alleged actions of Schmidt as shocking.

Hackers are exploiting the CVE-2023-3519 flaw in Citrix NetScaler Gateways on a large scale to steal user login details; the flaw is a critical zero-day bug discovered in July. Despite warnings to update Citrix devices, the attack surface remains significant; as of mid-August, the flaw had been used to backdoor a minimum of 2,000 Citrix servers. IBM's X-Force discovered a campaign to steal NetScaler credentials while investigating a client case; the hackers exploited CVE-2023-3519 to inject a malicious JavaScript script that harvested login information. The campaign began on August 11, 2023, with 600 unique IP addresses of NetScaler devices identified, mostly in the U.S. and Europe. The attackers used a series of web requests and scripts to exploit vulnerable NetScaler devices, eventually exfiltrating collected credentials via HTTP POST requests. A new detection artifact discovered in the attack could aid early detection; system administrators are advised to follow remediation and detection guidance provided by the Cybersecurity and Infrastructure Security Agency (CISA).

Hacktivist activities have surged in the Middle East in response to escalating violence between Palestinian and Israeli forces. Approximately 15 known cybercriminal, ransomware, and hacktivist groups, including Anonymous Sudan and Killnet, have declared their involvement in disruptive activities targeting institutions in both Israel and Palestine, as well as their supporters. Both Anonymous Sudan and Killnet are believed to have links with Russia and have pledged to focus their attacks on Israeli targets. Other groups, including several aligned with India despite its government's support of Israel, have also claimed attacks on various Israeli and/or Palestinian government web services. The majority of attacks are targeting government websites, media organizations, and critical infrastructures. However, the real-world impact appears to be minimal, with most attacks being mitigated within an hour or two. The International Committee of the Red Cross (ICRC) recently published a set of rules to ensure safe and non-damaging hacktivism activities, largely focused on the protection of civilian safety and resources. Despite initially rejecting the ICRC's rules, Killnet eventually announced it would abide by them, while the IT Army of Ukraine immediately agreed to the rules, albeit noting potential tactical advantages for groups choosing not to adhere.

The rapid integration of AI and Large Language Models (LLMs) across various sectors is posing complex vulnerabilities and unforeseen cybersecurity risks. vCISOs and other cybersecurity service providers must take a proactive stance in safeguarding clients, particularly small to medium-sized businesses often unaware of these threats. Cybersecurity firm Cynomi is hosting a specialist panel to help vCISOs swiftly implement cutting-edge security policies to tackle the emerging risks associated with AI and LLM's. The webinar will feature cybersecurity experts including the founders and CEOs of Cynomi and Lasso Security. The primary focus of the panel will be on outlining the risks associated with AI and LLM security, as well as potential solutions to these challenges.

A new phishing campaign is targeting senior executives in US organizations, predominantly those in banking and financial services, insurance, property management, real estate, and manufacturing sectors. The campaign employs the EvilProxy toolkit, a reverse proxy set up between the target and a legitimate login page to harvest login credentials, two-factor authentication (2FA) codes, and session cookies. The activity, which reportedly began in July 2023, utilizes an open redirection vulnerability on job search platform 'indeed.com' to redirect victims to malicious phishing pages impersonating Microsoft. The criminals pay monthly license fees ranging from $200 to $1000 USD to run the phishing toolkit, and many threat actors are using these services. Post clicking a deceptive redirect link in a phishing email on Indeed which redirects to the EvilProxy page, the user is ultimately redirected to a malicious phishing page, which bypasses established security controls. The situation highlights an increased adoption by cybercriminals of sophisticated social engineering techniques and technology for business email compromise (BEC) attacks. Notably, the Northern Ireland Police Service has noted a similar rise in phishing emails involving QR codes embedded in PDF documents or PNG image files.

The power and data transmission cable producer, Volex, has confirmed a breach of its digital infrastructure, but says that it was quickly contained and all sites remain operational, with minimal disruption. The company promptly enacted cybersecurity protocols and enlisted third-party consultants to examine the extent of the incident and to execute the incident response plan. The financial fallouts from the incident are not expected to be significant, yet the company's shares dropped by over 3% following the announcement. Revenue noted for Volex—whose products range from power cords to datacenter power cables—is more than £720 million ($879 million), with production sites located in Eastern Europe and across Asia. Volex is yet to comment on the details of the breach, including the nature of the attack, how it was identified, the length of system exposure, whether a ransom was demanded or if malware was deployed. Following the incident, the importance of comprehensive security measures, including software patching procedures and network segmentation, was highlighted to mitigate the potential of these incidents causing significant disruption and damage to company reputation.

Microsoft's fourth annual Digital Defense Report has revealed a series of cyber attacks aimed at Israeli interests, specifically in the private-sector energy, defense, and telecommunications organizations. The campaign is being tracked by Microsoft under the title Storm-1133. The cyber threat actor is thought to be operating out of Gaza and is believed to be working in the interests of Hamas. The targeted organizations are perceived as hostile to Hamas. The attack chain involves a combination of social engineering and fake LinkedIn profiles, posing as human resources managers, project coordinators, and software developers affiliated with Israeli organizations. They use these profiles to send phishing messages, conduct reconnaissance, and deliver malware to employees. Microsoft has also observed efforts by Storm-1133 to infiltrate third-party organizations with public connections to potential targets in Israel. These intrusions are designed to deploy backdoors and provide the group with constant updates to its command-and-control infrastructure, which is hosted on Google Drive. These cyber activities coincide with an escalation in the Israeli-Palestinian conflict and an increase in malicious hacktivist operations aiming to disrupt government websites and IT systems in Israel, the U.S., and India. Asian hacktivist groups are increasingly active, with around 70 incidents reported so far. Microsoft has noted a shift from destructive operations to long-term espionage campaigns amongst nation-state threats. The most targeted countries include the U.S., Ukraine, Israel, and South Korea. Iranian and North Korean state actors are showing increasing sophistication in their cyber operations, narrowing the capability gap with nation-state cyber actors from Russia and China.

The Curl library maintainers have warned of two security vulnerabilities, one of high severity and one of low severity. The vulnerabilities are tracked under the identifiers CVE-2023-38545 and CVE-2023-38546. The precise details about the issue and impacted version ranges have not been disclosed, to avoid enabling malicious users to identify the problem areas. The issues affect the "last several years" of the versions, with CVE-2023-38545 impacting both libcurl and curl, and CVE-2023-38546 affecting only libcurl. The risk of the vulnerabilities being discovered before patch release is described as minuscule. Curl, powered by libcurl, is a popular command-line tool supporting numerous protocols, and these vulnerabilities are hence potentially high impact. Organisations using curl and libcurl are advised to inventory and scan all systems, preparing to identify vulnerable versions once details are disclosed with the release of Curl 8.4.0 on October 11.

Multiple high-severity security flaws have been discovered in ConnectedIO's ER2000 edge routers and the cloud-based management platform. These vulnerabilities could enable malicious actors to execute malicious code, access sensitive data, and potentially fully compromise the cloud infrastructure. The flaws could expose thousands of internal networks to severe threats, allowing bad actors to seize control, intercept traffic, and infiltrate XIoT things. These flaws could be exploited to impersonate any device using leaked IMEI numbers and force them to execute arbitrary commands. Several issues have also been found in the communication protocol used between the devices and the cloud, including the use of hard-coded authentication credentials. The discovery of these flaws follows the disclosure of several vulnerabilities in network-attached storage devices from Synology and Western Digital. These vulnerabilities could disrupt company operations, provide access to internal networks, and potentially lead to denial-of-service attacks.

Generative AI, such as OpenAI's ChatGPT, are increasingly being exploited by hackers, who can trick these AI models into generating malicious code. Cybersecurity researchers highlight the ability of hackers to craft specific prompts that exploit the AI model's "learning" or "generative" capabilities for malicious purposes. Cases have been highlighted where AI models can be manipulated into generating code for a keylogger malware or creating polymorphic malware that can evade detection. A new issue named 'Universal LLM Jailbreak' is gaining attention, which is a method to bypass restrictions of ChatGPT, Google Bard, Microsoft Bing, and Anthropic Claude, manipulating AI systems to carry out unauthorized activities like meth production and hot-wiring cars. The method of 'prompt injections' is also becoming concerning, where users manipulate the AI to behave in an unforeseen manner that can have potentially harmful results, such as revealing sensitive information like the Bing Chat's internal codename. The emergence of these practices calls for stricter regulation and built-in security measures around Generative AI to avoid them being misused. Measures suggested include implementing security guardrails and limiting the AI's access to data, therefore, reducing the potential risk of exploitation.

The full source code for the initial version of the HelloKitty ransomware was leaked on a Russian hacking forum by a threat actor named 'kapuchin0', who is believed to be the actual developer. The developer, also known as 'Gookee', has a history of malware-related activity, including selling access to Sony Network Japan in 2020 and participating in Ransomware-as-a-Service operations. The source code release includes a Microsoft Visual Studio solution that builds the encryptor and decryptor for HelloKitty ransomware, as well as the NTRUEncrypt library used by the ransomware to encrypt files. The public availability of the source code could have its downsides, as other attackers may repurpose it for their own operations, as seen with other ransomware source code leaks like HiddenTear and Babuk. HelloKitty ransomware, in operation since November 2020, is known for high-profile attacks, including one against CD Projekt Red, where the developers claimed to have stolen and sold the source codes for multiple games. The group has previously used a Linux variant to target the VMware ESXi virtual machine platform and has operated under other names such as DeathRansom, Fivehands, and possibly Abyss Locker.

Malware defense firm Human Security has identified Android devices, sold under $50 online, preloaded with a malware, Triada, as part of a campaign termed 'BADBOX'. Over 200 models were found with pre-installed malware. The malware infection led to an ad fraud campaign dubbed 'PEACHPIT'. Roughly 121,000 Android devices and 159,000 Apple devices were reported to be affected at the peak of the campaign, generating over four billion invisible ads daily. An unidentified Chinese manufacturer is reported to embed a firmware backdoor into the Android-based devices before their delivery to resellers and e-commerce warehouses; consumers unknowingly purchase these malware-infected devices. Sony Interactive Entertainment admitted to a data breach due to an SQL injection attack exploiting vulnerabilities in Progress Software's MOVEit file transfer software, affecting the data of nearly 6,791 US employees. Sony reportedly took its MOVEit system offline on discovery of the breach. The MOVEit vulnerability has affected over 400 organizations and 20 million individuals to date. Sony also confirmed a second breach by group Ransomed.vc, marking two breaches in the last four months. Lastly, software firm Blackbaud has been fined nearly $49.5 million by attorneys general from all 50 U.S. states over its inadequate data security practices and response during a ransomware attack in 2020.

Microsoft has urged Microsoft 365 email senders to authenticate their outbound messages in response to Google's stricter anti-spam rules for bulk senders. Enhanced email authentication can improve email deliverability and maintain the reputation of an organization's email campaigns. Microsoft 365 service should not be used for bulk emailing as this may lead to emails being blocked or labeled as spam. Organizations wishing to send bulk emails have been advised to use their own on-premises email servers or third-party mass mailing providers. From February 1, 2024, Google will enforce SPF/DKIM and DMARC email authentication for domains that send over 5,000 daily emails to Gmail users, aiming to enhance defenses against email spoofing and phishing. Google will also require bulk senders to provide a one-click unsubscribe option for commercial emails and to process these requests within two days. Google has warned that failure to comply with these requirements could result in email delivery failures or classification as spam.