Daily Brief

Recent versions of the Tor Browser were wrongly flagged as potential security threats by Microsoft Defender due to the updated tor.exe file it contained. The alert caused uncertainty within the user community as they were notified about a possible trojan, a situation that turned out to be a case of false positives. After Tor reported the issue to Microsoft, it received a response saying, "We've reviewed the submitted files and have determined that they do not fit our definitions of malware or unwanted applications. As such, we've removed the detection." Microsoft provided instructions for users who still saw the false positives to update and clear any previous flags. Some users voiced criticism over the lack of a prior check with VirusTotal.com, which uses third-party security vendors to scan uploaded files. A Tor representative noted that the firm does not have a standing procedure for uploading files to VirusTotal before release. As a security measure, users are advised to verify the signature before installing Tor Browser.

The developers of Exim, a popular open-source mail transfer agent, have released patches for three out of six disclosed zero-day vulnerabilities. These vulnerabilities were made public through Trend Micro's Zero Day Initiative (ZDI). One of the bugs that was patched (CVE-2023-42115) could allow unauthenticated attackers to remotely execute codes due to an Out-of-Bounds Write problem in the SMTP service. The security advisory suggests that this flaw comes from the lack of proper validation of users' data, which can result in a write past the end of a buffer. In addition to this, two more vulnerabilities were patched by the Exim team an RCE bug (CVE-2023-42114) and an information disclosure vulnerability (CVE-2023-42116). The same vulnerabilities, with a severity score of 9.8/10 by ZDI team were regarded by Exim as not being 'world-ending catastrophes'. They claimed that successful exploitation of CVE-2023-42115 (the most severe) is contingent on use of external authentication on targeted servers. According to analysis by watchTowr Labs, these zero-days "require a very specific environment to be accessible". Despite 3.5 million Exim servers being exposed online, the real number of potential vulnerable servers is likely much lower.

The Federal Bureau of Investigations (FBI) issued a security alert on September 27 concerning emerging ransomware trends, which has raised industry eyebrows due to perceived disconnect with current threat landscape. The FBI alert highlights two trends: dual ransomware infections, where a victim suffers two distinct strains of malware usually from the same cybercrime group and data destruction tactics where the malicious software wipes files to increase pressure on victims. Notably, the dual assaults typically occur within 48 hours and have involved ransomware including AvosLocker, Diamond, LockBit, Quantum and Royal. However, cybersecurity professionals in the field contest these 'new' trends. Emsisoft’s team flagged multi-strain ransomware attacks two years ago, and other industry veterans have highlighted recurrent attacks from identical criminals, attributing this partly to the evolution of ransomware-as-a-service operations. The ongoing industry shift towards network disruption and threat of additional network attacks, known as triple extortion attacks, is also seen as a well-trodden path, with cyber security analysts warning of such tactics since 2021. The report suggests the FBI's report might lack currency with the current ransomware threat landscape and its rapid evolution.

Arm has issued a warning about an actively exploited vulnerability in its widely-used Mali GPU drivers, currently known as CVE-2023-4211. Google’s Threat Analysis Group and Project Zero discovered this flaw. The vulnerability is an improper access to freed memory, which could potentially alter or compromise sensitive data. It has been observed to be possibly exploited in controlled, targeted attacks. Midgard, Bifrost, and Valhall series drivers are affected, covering device models introduced between 2013 and 2019. These drivers are used in several popular devices such as Samsung Galaxy S20/S20 FE and OnePlus Nord 2. The vulnerability has been addressed for the Bifrost, Valhall, and Arm 5th Gen GPU architecture with the release of kernel driver version r43p0 on March 24, 2023. The unsupported Midgard version is unlikely to be patched. Patch availability depends on the speed of integration by the device maker and vendor. As supply chains vary, some users will receive the patch before others. Arm has also disclosed two other flaws, CVE-2023-33200 and CVE-2023-34970, that allow a race condition to be exploited for improper GPU operations to access freed memory. The recommended upgrade targets for these are r44p1 and r45p0, released on September 15, 2023. All listed vulnerabilities can be exploited with local access to the device, typically obtained by persuading users to download applications from unofficial sources.

Security researchers have found a severe remote code execution vulnerability (CVE-2023-40044) in Progress Software's WS_FTP Server file sharing platform. The flaw, which is caused by a .NET deserialization vulnerability in the Ad Hoc Transfer Module, allows attackers to remotely execute commands on the underlying operating system. It is estimated that approximately 2.9k hosts running the WS_FTP Server are potentially vulnerable, many of which belong to large enterprises, governments and educational institutions. Rapid7 reported instances of active exploitation shortly after the proof-of-concept exploit was released. Progress Software has issued a security update to address this critical vulnerability, encouraging all WS_FTP Server customers to apply the patch as quickly as possible. For those unable to immediately install the patch, it is recommended to disable the Ad Hoc Transfer Module to mitigate the risk. The U.S. Health Department's security team (HC3) has also issued a warning to all Healthcare and Public Health sector organizations to update their servers as soon as possible.

Ransomware groups are exploiting a recently patched critical vulnerability in the JetBrains' TeamCity continuous integration and deployment server. The flaw, identified as CVE-2023-42793 with a severity score of 9.8/10, allows unauthenticated attackers to execute remote code without requiring user interaction. TeamCity 2023.05.4 released on September 21 addressed this critical security issue, but the flaw continues to affect all previous versions and systems installed on Windows, Linux, macOS, or those running in Docker. Threat intelligence companies GreyNoise and PRODAFT have confirmed that multiple ransomware operations are using this exploit to breach TeamCity servers. At least 1,240 unpatched TeamCity servers have been identified as vulnerable by the Shadowserver Foundation, a nonprofit internet security organization. JetBrains' TeamCity software building and testing automation platform is utilized by more than 30,000 organizations globally, including Citibank, Ubisoft, HP, Nike, and Ferrari.

A new malware-as-a-service called 'BunnyLoader' has been discovered, which can steal and replace the contents of the system clipboard. BunnyLoader is under rapid development with new features and bug fixes being added regularly. The malware has the ability to download and execute payloads, log keys, steal sensitive data and cryptocurrency, and execute remote commands. According to researchers at Zscaler, BunnyLoader is becoming popular among cybercriminals due to its rich features and low price. The researchers also note that BunnyLoader has the capability of evading detection and can install, hide and register itself on a victim's device. BunnyLoader can steal data stored on web browsers, including passwords and credit card information, as well as data from cryptocurrency wallets, VPNs, and messaging apps. This stolen data is then compressed into a ZIP archive and sent to the hacker's server. The threat posed by BunnyLoader is increasing due to its low price and rapid development, making it an appealing choice for cybercriminals seeking to exploit new malware projects.

Low-budget hotel chain, Motel One Group, has disclosed a data breach involving customer data and credit card information following a ransomware attack. The hotel chain has a presence across numerous countries and houses over 90 hotels with 25,000 rooms. The attackers aimed at launching a ransomware attack, but Motel One's effective protective measures limited their success, as stated by the company. Initial findings from the ongoing investigation reveal the theft of customer addresses and information on 150 credit cards. However, BlackCat/ALPHV, the ransomware gang claiming responsibility, counter these claims by stating they stole nearly 24.5 million files equating to a size of 6 TB. BlackCat/ALPHV has given Motel One five days to negotiate the ransom payment or they will leak all stolen data. At present, it's unknown if Motel One is revisiting its initial findings after the ransomware gang's public disclosure.

The FBI has issued a warning about a surge in 'phantom hacker' scams specifically targeting senior citizens in the US. These evolved tech support scams involve fraudsters masquerading as bank representatives, tech support personnel, or government officials and tricking victims into transferring their funds to supposedly 'secure' accounts controlled by the scammers. Between January and June 2023, the FBI Internet Crime Complaint Center (IC3) received 19,000 related complaints, with estimated victim losses amounting to over $542 million. Nearly 50% of the victims were over 60 years old, accounting for 66% of the total losses. In addition, losses from these scams in August 2023 were already 40% higher than total losses in 2022. The FBI advises individuals to avoid unsolicited pop-ups, text messages, emails, and granting control of their computers to unknown individuals. It also emphasized that the U.S. government will never demand payments via cryptocurrency, prepaid cards, or foreign wire transfers. Victims of such scams are encouraged to report incidents to the IC3, providing details like the identity of the caller, mode of communication, and the recipient's name and address to which funds were sent.

Researchers at Rapid7 have spotted potential exploitation of vulnerabilities in Progress Software's WS_FTP server software. The attacks started on 30 September, shortly after Progress Software released fixes for eight vulnerabilities in WS_FTP, indicating a possible mass-scale exploitation attempt. Although the attacks appear to be low in volume and limited in visibility, notable customers of WS_FTP include RockSteady, Denver Broncos, Scientific American, and H&M. An AssetNote scan showed that 2,900 hosts are running the WS_FTP software, many of which are large enterprises, governments, and educational institutions. Proof of concept (PoC) code began circulating online two days after Progress’s security advisory, further increasing the risk of exploitation. Rapid7 urged users to upgrade to the latest version of WS_FTP to mitigate security risks, and for customers using the Ad Hoc Transfer module, they are advised to disable or remove it. Progress Software has faced challenges this year with mass exploitation of another of its products, MOVEit Transfer, by the Cl0p cyber criminal group. Subsequently, they are involved in multiple lawsuits due to data breaches that affected at least 400 organizations.

AWS has disclosed the existence and function of MadPot, a threat intelligence tool that was hitherto kept secret. Operating since 2010, MadPot includes tens of thousands of threat sensors to track and analyze potential threats visiting AWS decoy sites. The system reportedly spots more than a 100 million potential threats daily, of which about 500,000 turn out to be malicious activity. The intelligence gathered is added to a massive data lake for future reference. Historical cases include preventing Chinese espionage attempts on US critical infrastructure, identifying and mitigating activities of the Beijing-backed cyber-espionage organization, Volt Typhoon, by identifying unique signature elements of their payloads. More recently, MadPot has disrupted the cyber activities of Sandworm, a group tied to Russia's GRU military intelligence unit, who intended to hijack WatchGuard and ASUS routers to manage its botnet (Cyclops Blinks) for future attacks. Additionally, the tool stopped over 1.3 million botnet-driven DDoS attacks in Q1 of 2023, identified almost 2,000 botnet command-and-control hosts, and collaborated with hosting providers and domain registrars to dismantle the control infrastructures. The platform is also instrumental in spotting and curbing network-flooding DDoS attempts and blocking credential-stuffing attacks by providing insights into attackers' tactics and targeted entities. AWS aims to continue to expand MadPot's capabilities and intelligence to respond more effectively to evolving cyber threats.

The BlackBerry Research and Intelligence Team identified a financially-driven cyberattack campaign targeting online payment businesses in Asia Pacific, North America, and Latin America. The campaign, known as 'Silent Skimmer', uses web skimmers to exploit vulnerabilities in web applications to compromise the payment checkout page and obtain sensitive payment data. After an initial successful breach, open-source tools and 'living-off-the-land' techniques are used for privilege escalation, post-exploitation, and code execution. The threat actors use a PowerShell-based remote access trojan to infiltrate the web server and place a scraper in the payment checkout service in order to capture financial information. The servers used for Command-and-Control (C2) are chosen based on the location of the victims to avoid detection. The attackers focus primarily on regional websites collecting payment data, capitalizing on vulnerabilities in widely used technologies to gain unauthorized access and extract sensitive payment data. Meanwhile, cybersecurity firm Sophos has warned of a pig butchering scam luring victims into false cryptocurrency investment schemes through dating apps. The scam, unlike Silent Skimmer, does not involve malware or hacking but utilizes fraudulent websites and social engineering techniques.

LUCR-3, known to overlap with groups like Scattered Spider, Oktapus, UNC3944, STORM-0875, targets Fortune 2000 companies across various sectors, including but not limited to Software, Retail, Hospitality, Manufacturing, and Telecoms. Their mission primarily involves stealing Intellectual Property (IP) for extortion. The group uses victim's tools, applications, and resources for their operations, with less reliance on malware or scripts. Initial Access is attained through compromising identities in the Identity Provider (IDP). LUCR-3 then leverages SaaS applications to understand the victim organization's operations and to access sensitive information. The data stolen is mostly related to IP, Code Signing Certificates, and customer data. The extortion demands made by the group often run into tens of millions of dollars, with the intentions of financial gain. LUCR-3 utilizes various evasion tactics and persists within the victim's infrastructure through several means. It also makes use of Windows 10 systems running GUI utilities to execute their operations in the cloud. The group predominantly focuses on large organizations that possess valuable IP, and companies that can be leveraged for supply chain attacks. The recent activities of LUCR-3 suggest an expansion into previously untargeted sectors such as hospitality, gaming, and retail. LUCR-3 observes extensive recon activities before deciding their target, and subtle modifications in the MFA settings to evade detection. Once initial access is gained, they focus on understanding where crucial data resides, navigating through native applications and SaaS tools without raising any alerts.

Application Programming Interfaces (APIs) provide bridges facilitating the sharing of information and functionalities, however, an increased use of APIs has made them attractive targets for cybercriminals across industries. The Open Web Application Security Project (OWASP) has identified broken object-level authorization (BOLA) as the top-ranked vulnerability in APIs. This flaw allows attackers, even those with minimal technical ability, to manipulate the ID of an object in an API request, granting access to other users' data. API-targeted cyber attacks have increased by 137% with healthcare and manufacturing as primary targets. New devices under the Internet of Medical Things and its associated API ecosystem, along with the increase in IoT devices and systems in manufacturing, have contributed to these sectors' vulnerability. The use of APIs in different sectors offers benefits such as enhanced connectivity and streamlined operations but can also lead to significant cyber risks. This was clearly demonstrated in high-profile breaches like those at Quest Diagnostics in healthcare, Latitude Financial in financial services, DropBox in technology, and Peloton in retail. To mitigate the risks posed by APIs, organizations need to prioritize robust security measures including strong authentication, regular vulnerability assessments, and compliance with industry regulations. Initiating comprehensive security protocols for integrating third-party APIs along with ongoing monitoring to detect and address potential threats can also be effective. Breachlock recommends that organizations update their API security practices to defend against increasing sophisticated and frequent API attacks. This should be a significant cyber initiative for organizations.

A significant security flaw, known as a 'Zip Slip' vulnerability, has been discovered in the open-source data cleanup and transformation tool, OpenRefine, potentially allowing arbitrary code execution on systems that are impacted. This vulnerability is labelled CVE-2023-37476 and has a CVSS score of 7.8. The flaw has serious implications, particularly in versions 3.7.3 and below, and when importing a carefully-crafted project. The exploit is based on a directory traversal bug, which could potentially allow access to areas of the file system that ought to be inaccessible. Users could be misled into importing a malicious project file, which an attacker could use to execute arbitrary code on the user's machine. The vulnerability was responsibly disclosed on July 7, 2023 and has since been repaired in version 3.7.4, launched on July 17, 2023. This comes in the wake of alerts about high-severity bugs in Microsoft SharePoint Server and Apache NiFi, all of which have now been patched. However, these types of flaws can cause significant damage by allowing unauthorized access, compromising data integrity and potentially causing financial and reputational harm if left unaddressed.