Daily Brief

Atlassian revealed that a critical bug in its Confluence Server and Confluence Data Center has been exploited, leading to the creation and abuse of admin accounts in its enterprise collaboration software. The vulnerability, known as CVE-2023-22515, affects versions 8.0.0 through 8.5.1, while versions before 8.0.0 are not impacted. Public-facing instances are particularly at risk as the flaw permits anyone to access a vulnerable deployment and gain admin-grade access. A number of customers have so far been affected. The company warns that upgrading an instance that’s already been infiltrated won't expel the intruders; IT organizations must take measures to determine compromise, root out unauthorized admins, and assess and rectify damage. Atlassian has alerted customers about the affected versions and subsequent mitigation steps, including the importance of restricting external network access to instances. Independent cybersecurity firm, Rapid7, agrees with the conclusion from Atlassian that the vulnerability is remotely exploitable. They emphasize the unusual yet not unprecedented severity of the vulnerability. As more details emerge, the extent of the victims, impact and remediation requirements will become more clear in the coming days.

Checkmarx's Supply Chain Security team has been monitoring a progressively sophisticated malware campaign since April 2023. The campaign disseminates hundreds of malicious Python packages designed to steal sensitive data, which have been downloaded around 75,000 times. This operation has matured since first identified, with the package authors using increasingly elaborate obfuscation layers and detection evading techniques to steal data and cryptocurrency. The malware can capture screenshots and steal files, while also monitoring the victim's clipboard for cryptocurrency addresses which it then substitutes with the attacker's address to channel payments to their wallets. In addition to data theft, this malware manipulates app data; for instance, it alters the electron archive of the Exodus cryptocurrency wallet management app to intercept data and injects JavaScript code into Discord. The threat actors have increasingly employed encryption, multi-layer obfuscation and the ability to disable antivirus products to hinder the detection of their packages. The security analysts emphasise the vulnerability of open-source communities and developer ecosystems to such supply chain attacks, advising users to scrutinise the projects and package publishers they rely on.

A buffer overflow vulnerability in the GNU C Library (glibc) has been discovered by security firm Qualys. The flaw, called "Looney Tunables," can be exploited to gain root access and take control over affected Linux systems. The vulnerability arises from glibc's dynamic loader (ld.so) mishandling of the GLIBC_TUNABLES environment variable. Misuse or exploitation of this variable can broadly affect system performance, reliability, and security. Qualys has successfully exploited the vulnerability on several Linux distributions, including Fedora, Ubuntu, and Debian, while Alpine Linux remains unaffected as it uses musl libc instead of glibc. The security oversight was introduced in glibc 2.34 in April 2021 and has been assigned the issue identifier CVE-2023-4911 by Red Hat. The vulnerability's severity is scored as 7.8 out of 10 on the CVSS scale by Red Hat. Red Hat’s Enterprise Linux 8, Enterprise Linux 9, and Virtualization 4 products are reportedly affected by this issue. Patches are being provided and Linux users are advised to ensure their systems are up to date. The misuse of GLIBC_TUNABLES environment variables when launching binaries with SUID permission can allow an attacker to execute code with elevated privileges.

Cybersecurity events targeted at NATO are being "actively addressed" after claims by a hacktivist group of a repeated security breach on several of the military alliance's websites. The group alleges to have stolen more than 3,000 files and around 9GB of data. The hackers, known as the 'SiegedSec' crew, claim to have infiltrated six NATO web portals, boasting of their success on their Telegram channel with the message, "NATO: 0. Siegedsec: 2." The group had previously breached NATO's security in July, taking data from 31 countries and leaking approximately 845MB from the NATO Communities of Interest (COI) Cooperation Portal. Threat intelligence company CloudSEK analysed data from the first breach, confirming it contained 20 unclassified documents and 8,000 personal records including names, job titles, business and home addresses, and photographs. These breaches give potential identity thieves, spies, or trolls access to information useful for fraud, phishing, and general chaos. Despite additional security measures in place, NATO confirms ongoing cyber threats but insists there has been no impact on its missions or operations.

The International Committee of the Red Cross (ICRC) has laid out guidelines for hacktivists and nations amid the ongoing cyber warfare accompanying the Ukraine conflict. The ICRC aims to discourage civilian involvement in cyber-attacks against other countries, which it describes as a "worrying trend". Eight rules have been set for hacktivists, including a prohibition on autonomous attacks and attacks that might disrupt systems beyond the intended target. This rule would prohibit activities like that of the IT Army of Ukraine which invites anyone to donate compute power for disruptive attacks against Russian targets. Four additional rules for states aim to discourage countries from tolerating hacktivist activity and uphold International Humanitarian Law (IHL), with provisions for prosecuting violations where necessary. The rise of civilian engagement in digital warfare raises three main concerns: an increased risk to civilian harm, risk of civilians exposing themselves to military operations, and a blurred line between civilians and combatants. The effectiveness of these rules is questionable as neither Russia, China nor the US are part of the International Criminal Court, which administers international law. The guidelines have met with mixed reactions: A spokesperson for the IT Army of Ukraine committed to the rules while the leader of Russia-aligned Killnet DDoS operatives rejected them. Industry experts generally appreciate the spirit of the rules but doubt their ability to impact the Ukrainian conflict.

Apple released emergency security updates to patch a zero-day flaw exploited in attacks which targeted iPhone and iPad users, this strong issue is caused by a weakness in the XNU kernel. Devices including models of iPhone, iPad and iPod touch were impacted by this vulnerability, significantly identified as CVE-2023-42824. An additional zero-day vulnerability, tracked as CVE-2023-5217, was also addressed; it is associated with a heap buffer overflow in the VP8 encoding of the open-source libvpx video codec library, found and reported by Google's Threat Analysis Group (TAG). Over the course of the year, Apple has fixed 17 zero-day vulnerabilities exploited in attacks including three (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) recently patched, these were used in spyware attacks to install Cytrox's Predator spyware. Citizen Lab recently disclosed two zero-days (CVE-2023-41061 and CVE-2023-41064) that were fixed by Apple, they were used in zero-click exploit chains to infect fully patched iPhones with NSO Group's Pegasus spyware. Although Apple has addressed these issues with improved checks, the company has not yet identified the parties who discovered and reported the initial flaw.

The Cybersecurity and Infrastructure Security Agency (CISA) is banned from liaising with social media companies to prevent the spread of misinformation, as per a ruling by the US Fifth Circuit Court of Appeals. The new judgement modifies a decision made in September that found several US government agencies, namely the White House, surgeon general, CDC, and FBI, exceeded their bounds by asking platforms like Facebook and Twitter to limit or delete posts containing disinformation related to elections or COVID-19. CISA was listed by the states of Missouri and Louisiana, along with a few individual plaintiffs, as violating their First Amendment rights to free speech. The injunction will disrupt a major part of the Biden administration's request for moderations to social media platforms as the court concluded CISA to have acted as a "switchboard" for directing moderation requests to social media firms. While CISA declined to comment on the ongoing litigation, executive director Brandon Wales stated the agency doesn't censor speech or enable censorship. There is rising speculation the case may be heard by the Supreme Court following increasing confusion around the initial opinion given by the Fifth Circuit Court of Appeals.

Australian software firm Atlassian has issued critical security updates addressing a zero-day vulnerability found in its Confluence Data Center and Server software that has been exploited in attacks. This serious privilege escalation flaw, tracked as CVE-2023-22515, affects Confluence Data Center and Server 8.0.0 and later and is remotely exploitable in low-complexity attacks without user interaction. Atlassian urges customers with vulnerable software versions to upgrade to a fixed version or, if immediate patching is not possible, to isolate the impacted instances from internet access. Customers should also prevent access to /setup/* endpoints on Confluence instances and inspect for signs of compromise. The company emphasises the urgency of securing Confluence servers given their history of being a target for malicious actors, including previous incidents involving ransomware, Linux botnet malware, and crypto miners. Last year, the US agency CISA ordered federal entities to resolve a different critical vulnerability in Confluence that had been taken advantage of in the wild.

Approximately 100,000 industrial control systems (ICS) are exposed on the internet, leaving them open to cyber attacks. These systems include power grids, traffic light systems, and water systems, among others. Cybersecurity firm BitSight reported the issue, stating that the threat affects many Fortune 1000 companies across 96 countries. BitSight was able to identify the vulnerability through mass-scale scans of the global IP address space and by analyzing generated logs. Education, Technology, Government, Business Services, Manufacturing, Utilities, Real Estate, Energy, Hospitality, and Finance sectors were the least secure in terms of ICS security. Though BitSight has noted a decrease in the number of exposed devices since 2019, there remains a large number of vulnerable ICSs. It’s difficult, however, to estimate how many among these are exploitable or the potential degree of damage an attack could cause. To ensure secure remote access to these systems, researchers suggest implementation of basic security measures such as VPN access, multi-factor authentication, role-based access control, and network segmentation.

Cisco has released patches for the Cisco Emergency Responder (CER) to repair a vulnerability that could allow attackers to log into unsecured devices using default, static root account credentials. The security flaw, known as CVE-2023-20101, exposes the devices to potential unauthenticated attackers who can execute arbitrary commands as the root user. The vulnerability only affects CER version 12.5(1)SU4, discovered during internal security tests, and there is no known public disclosure or malicious exploitation related to the flaw at this time. There are currently no workarounds to mitigate this security flaw, requiring administrators to perform system updates as soon as possible to eliminate the threat. The recent flaw follows a series of vulnerabilities identified by Cisco, including a zero-day vulnerability in its IOS and IOS XE software, along with another zero-day vulnerability in its Adaptive Security Appliance and Firepower Threat Defense system.

Recent findings suggest a connection between Android spyware DragonEgg and iOS surveillance tool LightSpy. These malware strains are capable of gathering sensitive data from their respective devices. DragonEgg, known for its association with Chinese nation-state groups, was initially exposed by Lookout in July 2023. Details about LightSpy emerged in March 2020 during Operation Poisoned News. Dutch mobile security firm ThreatFabric highlighted that both malware attack chains involve a trojanized Telegram app that downloads a secondary payload, followed by a third component called Core. The core module of LightSpy, also known as DragonEgg, operates as an orchestrator plugin responsible for gathering the device fingerprint, making contact with a remote server, awaiting instructions, and updating itself. LightSpy features various plugins such as a location module that tracks precise locations, a sound record that can capture ambient sound and WeChat VOIP audio conversations, and a module to gather payment history from WeChat Pay. DragonEgg and LightSpy share infrastructure, with their command and control (C2) servers located in mainland China, Hong Kong, Taiwan, Singapore, and Russia. ThreatFabric also discovered a server housing data from 13 unique phone numbers associated with Chinese cellphone operators, suggesting these could either be test numbers of LightSpy developers or their victims.

Hackers are exploiting Microsoft SQL Servers vulnerable to SQL injection in an attempt to breach Azure cloud environments. Microsoft’s security researchers have observed an attack chain beginning with exploiting an SQL injection vulnerability, allowing threat actors to gain access to a Microsoft Azure Virtual Machine-hosted SQL Server instance. Once access is gained, attackers can access databases, schemas, network configurations, and permissions, effectively giving them a shell in the host if the compromised app has elevated permissions. Attackers attempted to acquire the cloud identity access key from the SQL Server instance to access any cloud resource the identity has permissions to. Although this attempt failed due to errors, the method itself continues to pose a significant threat. Microsoft’s security recommendations include using the Defender for Cloud and Defender for Endpoint protections to catch SQL injections and suspicious SQLCMD activity, and applying the principle of least privilege when granting user permissions to add obstacles to lateral movement attempts.

Traditional cybersecurity models primarily focus on point-in-time assessments where security vulnerabilities are evaluated at specified intervals—usually following an incident or a scheduled audit. However, due to a rise in zero-day vulnerabilities, polymorphic malware, and Advanced Persistent Threats (APTs), there’s a need for continuous, proactive cybersecurity evaluations. Traditional penetration testing is one method for point-in-time assessments, where a team of ethical hackers annually assess vulnerabilities in an organization's network, systems, and apps. On the other hand, Penetration Testing as a Service (PTaaS) offers continuous monitoring by combining manual testing with automated tools for constant vulnerability scanning. PTaaS provides a more proactive security model, allowing organizations to detect potential weaknesses before they can be exploited. The choice between traditional penetration testing and PTaaS depends on an organization's specific needs and challenges. PTaaS is typically more effective for dynamic, constantly changing environments while standard penetration testing may be more suitable when an attack surface doesn't change very often. Beyond securing web applications, other practices such as Endpoint Attack Surface Management (EASM) and Risk-Based Vulnerability Management (RBVM) can also benefit from the continuous monitoring approach, helping organizations gain a holistic view of their external attack surface and prioritizing vulnerabilities based on risk. As cyber threats continue to evolve, organizations must adopt continuous monitoring procedures in their PTaaS, EASM, and RBVM practices to improve their cyber resilience.

Sony Interactive Entertainment (Sony) has acknowledged a cybersecurity breach affecting around 6,800 individuals. The breach exposed personal information of current and former employees and their family members. The breach resulted from exploitation of a zero-day vulnerability within Sony's MOVEit Transfer platform. The vulnerability has been leveraged in wider attacks by the Clop ransomware gang. The intrusion took place on May 28, and was discovered on June 2 when unauthorized downloads were found. The platform was immediately taken offline and the vulnerability has since been remediated. The impact of the incident was limited to the MOVEit Transfer platform with no effect on other Sony systems. However, sensitive information related to 6,791 US individuals was compromised. Recipients of the data breach notification are being offered Equifax credit monitoring and identity restoration services. The services can be accessed until February 29, 2024. Sony experienced another security breach last month resulting in the theft of 3.14GB of data from the company's systems. Sony has confirmed limited security breaches in two different incidents within the last four months.

SaaS security provider, Wing Security, has announced a new tier of security service, designed to provide essential security requirements for businesses and priced at $1,500 a year. The offering includes crucial SaaS security must-haves such as shadow IT discovery, automated vendor risk assessments, and user access reviews for critical business applications. Wing’s services allow companies to generate compliance-ready access reports for auditors and contribute towards ISO 27001 and SOC 2 certification. The average employee uses 28 different SaaS applications, with an average of seven new applications introduced to mid-size organizations each month. Wing's new product enables organizations to meet basic security standards, even if they cannot invest in a complete Secure Software Portfolio Management (SSPM) solution. While the new product tier provides essential security features, the solution is not intended to be comprehensive, suggesting that companies will eventually need to upgrade to a full SSPM solution for complete secure SaaS usage.