Daily Brief

The Albanian Parliament and the telecom company One Albania were victims of cyber attacks, with the incidents being officially confirmed by Albania's National Authority for Electronic Certification and Cyber Security (AKCESK). One Albania, which services around 1.5 million subscribers, reported handling the incident smoothly, claiming no disruption to its mobile, landline, and IPTV services. AKCESK identified the attacks in real-time and noted that they did not originate from within Albania, focusing on tracing the source and safeguarding systems against future breaches. The Iranian hacker group Homeland Justice has taken credit for these cyber attacks as well as for hacking the national airline Air Albania, declaring a mission against "supporters of terrorists." The attacks have provoked AKCESK to re-evaluate and reinforce the nation's cybersecurity strategies, although the full extent and details of the cyber attacks are still undisclosed. This series of incidents follows similar cyber attacks that occurred in mid-2021, after which the United States imposed sanctions on Iran's Ministry of Intelligence and Security for its involvement in cyber activities against the U.S. and allied nations.

CERT-UA identified a phishing campaign by the Russia-linked APT28 group deploying new malware strains OCEANMAP, MASEPIE, and STEELHOOK. The attacks, observed between December 15-25, 2023, target government entities, urging them to click malicious document links that initiate malware infection. MASEPIE, a Python-based malware, downloads/uploads files, executes commands, and communicates with its C2 server over an encrypted TCP channel. STEELHOOK, a PowerShell script, collects web browser data and sends it to the hackers' server in Base64-encoded format. OCEANMAP, a C#-based backdoor, facilitates command execution and uses the IMAP protocol for its control channel, with persistence achieved via a URL file in the startup folder. The attacks include penetration tools like Impacket and SMBExec for swift reconnaissance and lateral movement within an hour after initial breach. APT28 also exploits critical vulnerabilities such as CVE-2023-23397 for unauthorized account access on Exchange servers, expanding their campaign reach.

North Korean hacking group Kimsuky has been reported using spear-phishing to deploy malware including AppleSeed, Meterpreter, and TinyNuke. South Korean cybersecurity firm AhnLab attributes these detailed attacks to Kimsuky, noting that their use of AppleSeed malware has been consistent for years. Kimsuky was sanctioned by the U.S. due to intelligence gathering activities supporting North Korea's strategic goals, including a shift in target focus from South Korea to global entities since 2017. Malicious documents sent through spear-phishing allow the malware to take control of systems, steal sensitive data, and drop additional payloads. AppleSeed, a notable backdoor used by Kimsuky since 2019, has iterated into an Android version and a Golang variant named AlphaSeed which uses the chromedp library for command-and-control server communication. Kimsuky's espionage tactics include phishing along with online presence on platforms like LinkedIn and GitHub to secure remote IT jobs, which serves as a revenue source for the North Korean regime. The evolving and aggressive nature of these cyber campaigns reflects North Korea's broader strategy to bypass international sanctions and illicitly profit from digital assets and intellectual property theft.

A consultant, "Jack," worked for a managed security services provider (MSSP) serving an African bank hit by a state-sponsored cyber attack. Incident sparked bank's "panic purchase" of cybersecurity tools and services. CEO of the bank was not fully satisfied with the MSSP, questioning the value for money. Tensions between the CEOs of the bank and MSSP increased after an unauthorized security test instigated by the bank's CEO. The test involved the CEO's preferred cybersecurity provider and was not communicated to the MSSP, causing a false alarm in the security monitoring system. The incident resulted in a formal assessment of the MSSP's work, likened to "meeting an unhappy proctologist" by Jack. Four months passed before the working relationship between the bank and the MSSP normalized.

Microsoft has disabled the ms-appinstaller protocol by default to prevent its abuse by threat actors deploying malware. Attackers have used signed malicious MSIX application packages to distribute malware through platforms like Microsoft Teams and search engine ads. Cybercriminals have been selling a malware kit exploiting the MSIX format and the ms-appinstaller protocol as a service. App Installer version 1.21.3421.0 and above will have the changes implemented to combat this issue. Since mid-November 2023, at least four cybercrime groups have used the App Installer service to introduce ransomware into systems. One of the malware distributed through this vector, GHOSTPULSE, was involved in a campaign mimicking legitimate software installers. Microsoft had previously disabled the ms-appinstaller protocol in February 2022 to prevent attacks using Emotet, TrickBot, and Bazaloader. Microsoft notes that threat actors preferred ms-appinstaller because it could bypass security mechanisms like Microsoft Defender SmartScreen.

A popular Slay the Spire expansion mod, Downfall, was breached on Christmas Day to distribute Epsilon information stealer malware. The compromised package was a standalone modified game version, not a Steam Workshop mod, and did not trigger security measures. Attackers gained control of a Downfall developer's Steam, Discord, and email accounts to manipulate the mod's Steam account. The malware harvested cookies, saved passwords, credit cards, and other sensitive information from various applications and documents. Users who launched Downfall during the breach are at risk and advised to change passwords, especially for accounts without 2FA. The malware installed itself on infected systems as part of the Windows Boot Manager or under the name UnityLibManager. Epsilon Stealer, sold on Telegram and Discord, is typically used to target gamers with the false promise of bug-testing games for payment. Valve has tightened Steam security, requiring SMS-based checks for developers updating games to prevent such instances since October 24, 2023.

Eagers Automotive, a major car dealership operator in Australia and New Zealand, halts trading following a cyberattack. The company employs 8,500 staff and reported revenues of AU$4.82 billion in the first half of 2023. The cyber incident affected numerous IT systems, leading to a shutdown of operations in various locations. The full impact of the cyberattack is not yet known; external cyber response experts have been engaged. Eagers Automotive has informed the Australian Cyber Security Centre and the New Zealand National Cyber Security Center. The company is concerned about a potential data breach that may compromise sensitive customer and employee information. As of yet, no ransomware group has publicly claimed responsibility for the cyberattack on Eagers Automotive. The cyberattack is part of a larger pattern of recent cyber incidents targeting significant Australian businesses and organizations.

EasyPark, a parking application developer, has announced a data breach impacting potentially millions of users, discovered on December 10, 2023. Information compromised may include personal details, payment card numbers, telephone numbers, and email addresses, but is not enough for unauthorized transactions. The breach primarily affects European users of the EasyPark application, which has considerable reach, operating in over 4,000 cities across various countries. Users are advised to check the app for personalized notifications regarding the breach and encouraged to reset passwords as a security measure. The company's security team is enhancing security protocols to prevent further issues, while the data protection authorities in Sweden, the UK, and Switzerland have been informed. Previous breach of ParkMobile, a related app under EasyPark, in 2021 had led to data for 21 million customers being leaked online. Despite the breach, there have been no claims of responsibility from ransomware groups, but interest in the stolen data has been observed on hacking forums.

Microsoft has deactivated the MSIX ms-appinstaller protocol handler due to its exploitation by cybercriminal groups to spread malware. Attackers exploited the CVE-2021-43890 vulnerability in the Windows AppX Installer to bypass security features like Defender SmartScreen and browser executable file download warnings. Threat actors employed malicious ads for well-known software and phishing via Microsoft Teams to distribute signed malicious MSIX packages. The exploit has been linked to various financially motivated groups, including Storm-0569, Storm-1113, Sangria Tempest (FIN7), and Storm-1674. These cybercriminals have also been offering a malware kit utilizing the MSIX file format and ms-app installer protocol as a service. The FIN7 group, also involved with major ransomware operations such as REvil and Maze, leveraged the same vulnerability. Microsoft suggests installing the patched App Installer version 1.21.3421.0 or disabling the protocol via Group Policy to prevent exploitation.

Kroll has disclosed that personal information of FTX bankruptcy claimants was exposed during a data breach in August. The breach revealed data such as coin holdings and balances, which attackers can use to identify wealthy cryptocurrency investors. Affected personal data includes names, email addresses, phone numbers, addresses, claim numbers, claim amounts, FTX account IDs, and in some cases, dates of birth. Kroll assures that no FTX systems or digital assets were compromised and they do not hold FTX account passwords. The company warned customers of potential phishing attacks trying to obtain unauthorized access to cryptocurrency accounts. Kroll recommends using cold wallets to protect crypto assets and staying vigilant about suspicious communication. This breach also affected a limited number of individuals associated with BlockFi and Genesis creditors, though the full extent of exposed information has not been disclosed. After a Kroll employee's phone number was stolen via a SIM-swapping attack, phishing emails began targeting affected customers, leading to potential theft of their wallet's seed phrases.

Ukraine's Computer Emergency Response Team (CERT) detected a new phishing campaign from Russian state-sponsored hackers using novel MASEPIE malware. The APT28 group, also known as Fancy Bear, carried out the attacks between December 15 and 25, targeting Ukrainian entities with phishing emails containing malicious links. The MASEPIE malware downloader establishes persistence on an infected device and leads to additional malware downloads and data theft. APT28 employs additional tools like STEELHOOK to extract information from Chrome-based browsers and OCEANMAP, a C# backdoor for stealthy command execution. OCEANMAP employs the IMAP protocol for command and control, using email drafts to issue commands and store results, reducing detection risk. The attackers also utilized IMPACKET and SMBEXEC for network reconnaissance and lateral movement, indicating a sophisticated and swift attack methodology. The Ukrainian CERT highlighted the efficiency of the threat actors, being able to deploy these tools and start their attack within an hour of the initial system compromise.

Two Las Vegas casinos, Caesars Entertainment and MGM Resorts, suffered ransomware attacks by the same cybercrime group. Caesars reportedly negotiated a ransom down to $15 million after the attackers stole its customer loyalty program database. MGM chose not to pay the ransom, resulting in a week of IT system outages and operational disruptions, with an estimated $100 million in losses. The decision to pay or not to pay a ransom involves various factors including data type compromised, backup availability, potential downtime costs, and the extortionist group involved. Paying ransoms fuels the ransomware economy, encouraging further attacks and potentially funding weapons and oppressive regimes. Government sanctions can impact the decision to pay ransoms, as payments to sanctioned entities or individuals can be illegal. Efforts to secure networks and crack down on the infrastructure facilitating cybercrime are critical in combating the persistent threat of ransomware attacks.

A critical vulnerability in Apache OFBiz allows for remote code execution without authentication and is actively exploited. Attackers employ public PoC exploits to target systems, looking for vulnerable Confluence servers, which usually contain sensitive data. The original fix provided by Apache for CVE-2023-49070 was incomplete, but a new patch for the subsequent issue, CVE-2023-51467, was released in OFBiz version 18.12.11. Despite the availability of the patch, many systems remain unupdated and at risk due to the wide circulation of PoC exploits. Shadowserver has observed numerous scans using a PoC for CVE-2023-49070 and anticipates similar activities for CVE-2023-51467. To prevent potential attacks and mitigate risks, Apache OFBiz users are urged to upgrade to the latest patched version promptly.

Kaspersky's Global Research and Analysis Team discovered an unknown hardware 'feature' in iPhones that allowed attackers to bypass memory protection. The vulnerability, tracked as CVE-2023-38606, affected iPhones up to iOS 16.6 and has been patched since July 2023. It is believed that this hardware feature was intended for testing or debugging purposes but was undocumented, making it a subtle attack vector. The issue involved the use of unknown Memory-Mapped IO addresses to circumvent the kernel's hardware-based protection. The discovery process was particularly challenging due to the complexity and closed nature of the iOS ecosystem, requiring extensive reverse-engineering of hardware and software. The flaw was pivotal in "Operation Triangulation," a cyber campaign that included deploying spyware and harvesting user data from targeted devices. Kaspersky notified Apple of the exploitation which led to a swift mitigation of the vulnerability. The case exemplifies how advanced hardware protections can be compromised by sophisticated attacks, especially when "security through obscurity" fails to obscure exploitable flaws.

Google Cloud has patched a medium-severity privilege escalation flaw affecting their Kubernetes services, specifically within the Fluent Bit logging container and Anthos Service Mesh. The vulnerability, if exploited, could allow an attacker to escalate privileges within a Kubernetes cluster, leading to potential data theft, the deployment of malicious pods, and cluster operation disruptions. No real-world exploitation of this flaw has been reported, but updates have been made available in new versions of the Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM). To exploit this flaw, an attacker would need to have already compromised a FluentBit container, which could occur through initial access methods like remote code execution flaws. Google has taken action by removing the access Fluent Bit had to Kubernetes service account tokens and reconfiguring the Anthos Service Mesh to curtail excessive permissions. Security experts stress the risks associated with system pods automatically created by cloud vendors, highlighting that they often run with elevated privileges and are not directly managed by users.