Daily Brief

Cybersecurity experts have identified a new Malware-as-a-Service threat named BunnyLoader being sold in the cybercrime underground with functionality including downloading and executing a second-stage payload, credential theft, keystroke logging, and altering cryptocurrency wallet addresses on the victim's clipboard. BunnyLoader is a C/C++-based loader available for a lifetime license fee of $250 and is continuously updated with new features and enhancements since its September 2023 debut, including anti-sandbox and antivirus evasion capabilities. Notable features of BunnyLoader include command-and-control (C2) panel that offers buyers monitoring and control over compromised systems. The initial access mechanism used for distributing BunnyLoader is unknown. Once installed, it maintains persistence via a Windows Registry change and performs various checks before activating its malicious payloads. The threats BunnyLoader can inject and activate include a Trojan that downloads next-stage malware, a keylogger, a data stealer for harvesting data from messaging apps and web browsers, and a clipper that redirects cryptocurrency transactions to benefit illicit actors. The discovery of BunnyLoader joins previous findings of similar tools like MidgeDropper, Agniane Stealer and The-Murk-Stealer, highlighting the increasing sophistication and prevalence of malware-as-a-service offerings in the cybercriminal underground.

A new Android banking trojan called Zanubis is posing as a Peruvian government app and infecting devices in Latin America, specifically targeting 40 banks in Peru. The collaborative study published by Kaspersky discovered the trojan's ability to take full control of impacted devices by deceiving users into enabling accessibility permissions. Once installed, the malware operates covertly in the background, maintaining connections to a malicious-controlled server to receive next-stage commands. Furthermore, it keeps track of the applications being launched on the device for data theft. The trojan goes unnoticed because it creates a façade of authenticity by loading the genuine Peruvian customs and tax agency site via WebView and monitoring the applications opened by the user. A distinguishing feature of Zanubis is its ability to mimic an Android operating system update, thus rendering the device inoperable and monitoring any attempts to lock or unlock the phone. Overlapping with this, AT&T Alien Labs disclosed another Android-based Remote Access Trojan dubbed MMRat that is capable of capturing user input and screen content along with command and control functionalities.

Singapore has passed the Immigration Amendment Bill, enabling passport-free, end-to-end biometric clearance at airports from 2024. Singapore will be one of the first few countries globally to implement such a system, and while Dubai offers similar clearance for select enrolled travellers, no other countries currently plan similar measures. For the time being, passports will still be required for international travel, and airlines will likely continue checking them for identity and visa confirmation. The drive towards biometric clearance is due to a boom in travellers, an ageing population, security threats, and a reduction in Singapore's Immigration & Checkpoints Authority workforce. Biometric information will need to be provided to the airport operator for bag management, access control, gate boarding, duty-free purchases and security purposes. Concerns have been raised regarding data privacy and technical glitches, and as such, only Singaporean companies will be issued related IT contracts, all data will be encrypted, and vendors will be given non-disclosure agreements. Provision for manual clearance will be available for those unable to provide certain biometrics or are less digitally literate.

Progress Software has issued crucial patches for its WS_FTP file-handling product after eight vulnerabilities, some scoring a full 10/10 on the CVSS severity scale, were identified. All versions of WS_FTP Server prior to 8.7.4 and 8.8.2 are vulnerable to .NET deserialization attacks from a pre-authenticated attacker, among other issues such as path traversal, XSS, SQL injection, etc. Other high-profile companies including H&M and the Denver Broncos, who use WS_FTP, are advised to update their installations immediately. Industrial systems firm, Johnson Controls, acknowledged a "cybersecurity incident" in a recent SEC filing that multiple sources reported as a massive ransomware attack, which allegedly resulted in loss of over 27 terabytes of company data. Dark Angels, a ransomware group, is reportedly demanding a $51 million ransom from Johnson Controls. Japanese cell carrier, NTT Docomo, is believed to have been targeted in a potential supply chain attack by Ransomed.vc, a group that earlier claimed to have online leaked data stolen from Sony. Researchers at Resecurity are investigating a possible link between these two incidents.

Amazon mistakenly sent out purchase confirmation emails for Hotels.com, Google Play, and Mastercard gift cards to customers. Many recipients of the emails were alarmed, thinking their accounts were compromised. Customers reported three separate emails from Amazon Prime for each gift card purchase, though no such purchases were found in their accounts. The emails were sent using Amazon Simple Email Service and passed DKIM and SPF authentication headers, indicating they were verified as coming from Amazon. According to a support agent, the error was made by Amazon and all customers received these emails by mistake. The situation may have raised concerns about potential scam attempts, as the emails discussed how gift cards are commonly requested as payment in online scams. As this issue unfolded, Amazon has yet to respond officially to media queries.

Red Hat researchers have found a revived flaw (originally discovered in 1998) related to the PKCS #1 v1.5 padding in secure socket layer (SSL) servers that still affects various widely-used projects. Named the 'Marvin Attack', this method exposes vulnerabilities enabling attackers to decrypt RSA ciphertexts, forge signatures, and decipher sessions recorded on a susceptible transport layer security (TLS) server. The researchers found it feasible to execute the Marvin Attack within a few hours using ordinary hardware, thus demonstrating its practicality. The risks associated with the Marvin Attack are broad and are not restricted to RSA; they extend to most asymmetric cryptographic algorithms, making them prone to side-channel attacks. It is advised not to rely on RSA PKCS#1 v1.5 encryption and users are urged to seek alternate backward compatibility solutions from vendors. Moreover, disabling RSA doesn't negate the risk. While no instances of the Marvin Attack being used by cybercriminals have been observed so far, publicizing the issue and testing details could increase this risk in the future.

The LostTrust ransomware operation is suspected to be a rebranding of the MetaEncryptor gang, with almost identical data leak sites and encryptors. LostTrust commenced its attacks on organizations in March 2023, but gained extensive recognition in September the same year when it started using a data leak site. The data leak site currently lists 53 victims globally, with some having their data already leaked for not complying with the ransom payment. Cybersecurity researchers discovered that both the LostTrust and MetaEncryptor encryptors are almost identical, with minor changes to ransom notes, embedded public keys, and ransom note names. Researchers revealed that the LostTrust and MetaEncryptor are based on the SFile2 ransomware encryptor, which is further substantiated by a significant code overlap identified through an Intezer scan. The ransom demands for LostTrust attacks range between $100,000 to multiple millions. It is currently unknown if the payment of a ransom demand will lead to the deletion of data and provision of a functioning decryptor.

Cybersecurity research conducted by Stefan Proksch from Certitude revealed bypassable vulnerabilities in Cloudflare's Firewall and DDoS protections. The logic flaws that allow an attack are found in the cloud service provider's cross-tenant security controls. To exploit the vulnerabilities, attackers must know the targeted web server's IP address and create a free Cloudflare account. This allows them to bypass security measures, placing other Cloudflare customers at risk. The vulnerabilities specifically impact two Cloudflare features: Authenticated Origin Pulls and Allowlist Cloudflare IP Addresses. These security measures verify that HTTP(S) requests sent to an origin server come through Cloudflare and that the only allowed traffic originates from Cloudflare's IP address range. Proksch found that attackers with a Cloudflare account could tunnel malicious traffic through the infrastructure or direct it to other Cloudflare clients. Mitigation of this weakness requires the usage of custom certificates rather than those generated by Cloudflare. The security findings were reported to Cloudflare via HackerOne in March 2023. As of now, there is no confirmation on whether Cloudflare will implement additional protection mechanisms or warn clients with potentially risky configurations.

The U.S. Federal Bureau of Investigation (FBI) has warned about a growing trend since July 2023 where cyber actors target victims with two different ransomware variants, with attacks often happening closely together. The targeted companies were attacked by ransomware combinations involving AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal, leading to data encryption, exfiltration, and financial losses due to ransom payments. The FBI has noticed that these attacks increasingly use custom data theft, wiper tools and malware to pressurize victims into paying the ransom. Organizations are being encouraged by the FBI to bolster their defenses by maintaining offline backups, monitoring external remote connections and remote desktop protocol use, enforcing multi-factor authentication, auditing user accounts, and segmenting networks. These dual ransomware attacks are an evolution of a phenomenon observed as early as May 2021, with a growing trend in the cybersecurity landscape involving the exploitation of zero-day vulnerabilities and the proliferation of initial access brokers and affiliates who resell access to victim systems and deploy varying strains of ransomware quickly.

Iranian-backed Advanced Persistent Threat (APT) group, OilRig, has been linked to spear-phishing campaigns that deliver a new strain of malware named Menorah, designed for cyber espionage. Trend Micro researchers revealed that the malware can identify the specifications of the infected machine, read and upload the machine's files and download additional malicious files. It is not immediately clear who the targets of these attacks are, but decoys used indicate that at least one is an organisation based in Saudi Arabia. OilRig, also known under a variety of other names including APT34 and Cobalt Gypsy, specializes in covert intelligence gathering and maintaining access within targeted networks. Recent findings suggest that OilRig is continuously developing its capabilities, with a recent phishing attack resulting in the deployment of a new variant of SideTwist malware. The Menorah malware, which is .NET based, has various capabilities including fingerprinting the targeted host, listing directories and files, uploading selected files from the compromised system, executing shell commands, and downloading files to the system. Given its resources and varied skill set, APT34 will likely persist in customising routines and social engineering techniques as part of its ongoing cyber espionage operations.

Multiple security flaws have been discovered in the Exim mail transfer agent that could allow for information leakage and remote code execution if adequately exploited. The most severe one, CVE-2023-42115, permits remote, unauthenticated attackers to run arbitrary code on affected Exim installations, stemming from inadequate validation of user-provided data. Fixes for issues CVE-2023-42114, CVE-2023-42115, and CVE-2023-42116 are currently available in a secure repository and ready for application by the distribution overseers. The Zero Day Initiative (ZDI) recommends restricting interaction with the Exim application as a key mitigation strategy in the absence of patches for the remaining issues. This incident follows previous revelations of security flaws in Exim, including a set of 21 vulnerabilities, known as 21Nails, disclosed by Qualys in May 2021, and a critical Exim vulnerability exploited by Russian state-sponsored group Sandworm reported by the U.S government in May 2020. Recent research from the University of California San Diego highlighted a new method named forwarding-based spoofing that utilizes weaknesses in email forwarding to send emails impersonating legitimate entities, compromising email integrity.

The building and automation company, Johnson Controls International, was targeted by a ransomware attack from Dark Angels group, resulting in the alleged theft of 27 TB of data from 25 different file servers. The effects of recent Clop ransomware attacks continue with the National Student Clearinghouse reporting a data breach impacting 890 educational institutions, and BORN Ontario child registry disclosing a breach impacting approximately 3.4 million individuals. The Hospital for Sick Children, also known as SickKids, was affected by the BORN Ontario security breach. A large Michigan health service provider confirmed that it faced a ransomware attack. FBI has noted an escalation in ransomware attacks, with victims increasingly facing multiple strains infiltrating their networks in less than two days. Reports cite a range of new ransomware variants discovered by cybersecurity researchers. Security researchers have identified infrastructure belonging to a threat actor, ShadowSyndicate, linked to multiple ransomware deployments over the past year. The Snatch ransomware group has been found to be leaking data about its location and operations, as well as IP addresses of its site visitors.

Microsoft Bing Chat was discovered sending harmful ads – malvertising – distributed in Bing Chat conversations, identified by cybersecurity firm Malwarebytes. These harmful ads require the user to click on them to cause damage, such as phishing their login details, pushing malware downloads or exploiting bugs to hijack their computers. The problem originated from the ad account of a legitimate Australian business being compromised. Microsoft Inc., later confirmed that they have removed these ads and blocked the advertiser. They said they are continuing to monitor their ad network for similar accounts. Security firm Confiant reported that in 2022, 0.21 percent of the ads delivered across all server-side ad platforms contained security violations. Malwarebytes explained that malvertising has been a top web delivery vector for malware and scams regardless of the user's operating system or location for many years. Threat actors range from amateur to professional and those with more skills and specific user targets are usually more difficult to detect and stop. This incident reiterates the challenge of mitigating malvertising threats and the importance of prudent web browsing habits and software updates.

A zero-day vulnerability in all versions of Exim mail transfer agent (MTA) software has been discovered, potentially exposing millions of servers to remote code execution (RCE) attacks. The security bug, disclosed via Trend Micro's Zero Day Initiative (ZDI), was found by an anonymous researcher and is due to an Out-of-bounds Write weakness found in the SMTP service, which can lead to data corruption or unauthorized code or command execution. The developers have not provided an update on their patch progress, resulting in ZDI publishing an advisory on the zero-day, with a full timeline of exchanges with the Exim team. MTA servers, which are frequently internet-accessible, are particularly vulnerable to this bug, making them easy entry points into a network for attackers. The most recent data indicates that over 3.5 million Exim servers are currently exposed online, primarily in the US, Russia and Germany. Until a patch is available, admins have been advised to restrict external access to the servers as a temporary countermeasure.

Mohamad Al Bared, a 26-year-old Doctorate student at Birmingham University, has been convicted of constructing a potentially lethal drone for ISIS using his 3D printer at home. Al Bared was found guilty of preparing terrorist acts to benefit a proscribed organization and now faces a possible life sentence. The one-use, video-transmitting drone, which bore similarities to the design of the Tomahawk missile, was supposedly showcased in an ISIS propaganda video shared on Telegram. Aside from the drone, the police also uncovered an ISIS application form and other evidence affirming his support for the terrorist group in Al Bared's confiscation of phones, laptops, and hand-written notes with recipes for chemical weapons. The prosecution argued that Al Bared sought to replicate Russian drone attacks in Ukraine and intended for the drones to cause significant casualties in densely populated areas. According to encrypted messages and digital communication, Al Bared researched chemicals such as sarin, ricin, and mustard gas along with mechanical detonators and an "explosive" head for the drone. Al Bared failed to convince the court that he built the drone and studied ISIS materials for research purpose to fight against the terror group at his mosque.