Daily Brief

Cybercriminals are leveraging fake Bitwarden websites to distribute a new type of password-stealing malware known as ZenRAT. Users are tricked into downloading counterfeit versions of the Bitwarden open-source password manager, which distribute the malware. ZenRAT focuses on extracting browser data, login details, and information about infected hosts by mimicking their system fingerprint, making it appear as if the legitimate user is logging in. The malware appears to be aimed specifically at Windows users and redirects users of other operating systems to an osusource.com article about the password manager. Security firm Proofpoint discovered ZenRat after receiving a malware sample from Jérôme Segura, senior director of threat intelligence at Malwarebytes. Once active, ZenRAT collects data about the host system to create a detailed profile, before communicating these details and other stolen data to the control server. Even though ZenRAT primarily functions as an information stealer, Proofpoint suggests it is potentially designed to be modular with the possibility of expanded capabilities. No additional modules have yet been found in the wild.

Multinational conglomerate Johnson Controls, a provider of industrial control systems, security equipment, air conditioners, and fire safety equipment, was victim to a major ransomware attack, resulting in encrypted company devices and impacted operations. The initial breach occurred in the company's Asia offices and expanded over the weekend, causing an IT system shutdown and website outages; subsidiaries York, Simplex, and Ruskin started displaying technical outage warnings. The attack has been linked to the Dark Angels ransomware gang, who reportedly used a Dark Angels VMware ESXi encryptor with a ransom note demanding $51 million for a data decryptor and to erase stolen data. The cybercriminals claim to have exfiltrated over 27 TB of corporate data and encrypted Johnson Control's VMWare ESXi virtual machines during the attack. Dark Angels, which began its operations in May 2022, breaches networks and steals data for double-extortion attacks, deploying ransomware once they have control of a Windows domain controller. Dark Angels runs a data leak site called 'Dunghill Leaks' used for extortion, where it threatens to leak stolen data if the ransom is not paid; nine victims are currently listed, including Sabre and Sysco which have recently reported cyberattacks.

More than 30 civil and digital rights organizations have expressed their support for two pending New York state bills – 1014-2023 and 1024-2023 – aimed at banning facial recognition and other biometric tech in public spaces and residential buildings. Groups supporting the legislation include the New York Civil Liberties Union, the Surveillance Technology Oversight Project, and Amnesty International. They have criticized such technology for being biased, error-prone, and detrimental to marginalized communities. Bill 1014-2023 seeks to prohibit public places and providers from using biometric recognition to verify or identify customers and bars businesses from refusing entry based on facial recognition tech (FRT). It also prevents companies from selling customers' biometric data. Bill 1024-2023 focuses on the use of facial recognition and other biometric surveillance in residential settings. Concerns have been raised about landlords using the tech to monitor residents and potentially evict them if the system perceives they were not at home often enough. Advocates cite the incident of lawyer Kelly Conlon, who was turned away by a facial recognition system at Radio City Music Hall. Critics of facial recognition say the technology is often inaccurate, with particular biases against women and people of color. Elsewhere, Clearview AI was forced to stop selling facial recognition databases to most U.S. businesses after a lawsuit settlement with the ACLU, while the company was also fined in the U.K. for data scraping. The European Union adopted a draft of the upcoming AI Act, which includes a complete ban on AI's use for biometric surveillance, emotion recognition, and predictive policing.

The US and Japanese cybersecurity agencies have issued a warning regarding the Chinese 'BlackTech' hackers group and their activities. They are known to breach network devices to install backdoors for accessing corporate networks. BlackTech, also known as Palmerworm, Circuit Panda, and Radio Panda, is a Chinese state-sponsored advanced persistent threat group. It has been conducting cyber-espionage attacks on Japanese, Taiwanese, and Hong Kong entities since at least 2010. The sectors targeted by BlackTech primarily include government agencies, industrial organizations, technology companies, media, electronics, telecommunications, and the defense industry. These hackers use custom-made malware to backdoor network devices and steal data by redirecting traffic to servers under their control. They are known to leverage stolen admin credentials to compromise a range of router brands and models and establish persistence. The compromised devices, including Cisco routers, are then used for proxying traffic, blending in with corporate network traffic, and targeting other victims on the same network. BlackTech hackers also modify firmware to hide their activity on the edge devices and to maintain persistence. To hide configuration changes and the history of executed commands, they even deactivate logging on a compromised device while carrying out malicious operations. System administrators have been advised to monitor for unauthorized downloads of firmware images and unusual device reboots, and to treat SSH traffic on the router with high suspicion. Network admins are also encouraged to install all available security patches on edge devices as they become available and to avoid publicly exposing management consoles.

A new threat actor known as AtlasCross has been discovered using Red Cross-themed phishing lures to deliver two previously unknown backdoors, DangerAds and AtlasAgent. The attack begins with a macro-filled Microsoft document about a fictional blood donation drive from the American Red Cross. When opened, the malicious macro sets up persistence and exfiltrates system metadata to a remote server. Part of the attack also downloads a file (DangerAds), which acts as a loader to launch shellcode leading to the deployment of AtlasAgent, a malware capable of collecting system information, operating shellcode, and executing commands. Both AtlasAgent and DangerAds have evasive features built-in to avoid detection by security tools. AtlasCross is also suspected of exploiting known security vulnerabilities to gain control of public network hosts and convert them into command-and-control (C2) servers. Though AtlasCross currently operates with a limited scope of activity, their attack methods are robust and sophisticated, indicating the possibility of more extensive and damaging attacks in the future.

Researchers from four American universities have discovered a novel side-channel attack, termed 'GPU.zip', that leverages data compression to extract sensitive visual data from modern graphics cards while browsing websites. The method was tested using the Chrome browser and involved cross-origin Scalable Vector Graphics (SVG) filter pixel-stealing attacks. Graphic Processor Unit (GPU) vendors including AMD, Apple, NVIDIA, and Qualcomm were alerted to the vulnerability in March 2023; however, no patches have been issued as of September 2023. All modern GPUs, especially integrated Intel and AMD chips, perform software-visible data compression even when not explicitly instructed, which has been exploited by the researchers for the GPU.zip attack. According to the researchers, the GPU.zip attack can steal usernames from a Wikipedia iframe in less than 215 minutes on Intel GPUs with an accuracy of 98.3%. The lack of response from impacted vendors and the ubiquity of the vulnerable graphics cards imply a high potential risk, but the complexity and time requirement for the attack moderate the immediate threat to users. The researchers also note that the attack will not work on browsers like Firefox and Safari that do not meet the specific criteria for exploitation.

A new side-channel attack, GPU.zip, has been discovered by researchers from multiple universities that makes most modern graphic processing units (GPUs) susceptible to information leakage. The vulnerability revolves around the graphical data compression feature in integrated GPUs that improves performance when rendering frames. Despite not being requested by software, this feature compresses visual data losslessly inducing data-dependent DRAM traffic which can be used as a side-channel. Attackers are able to exploit this iGPU-based compression channel to perform cross-origin attacks in browsers. This could allow a malicious webpage to infer individual pixel values from another webpage in an iframe element, effectively bypassing security measures like the same-origin policy. Browsers such as Google Chrome and Microsoft Edge are particularly prone to such attacks since they allow cross-origin iframes to load with cookies, permit rendering SVG filters on iframes, and delegate rendering tasks to the GPU. Mozilla Firefox and Apple Safari browsers, however, are not impacted. The Proof of Concept created demonstrated that a threat actor could use this vulnerability to extract information such as a logged-in user's Wikipedia username. GPUs affected include those from AMD, Apple, Arm, Intel, Nvidia, and Qualcomm. Websites that deny being embedded by cross-origin websites via X-Frame-Options and Content Security Policy rules are not susceptible to the attack.

GitHub accounts are being breached by hackers who insert malicious code masked as Dependabot contributions, aiming to steal authentication secrets and passwords. Checkmarx discovered the attack in July 2023, when unusual Dependabot commits were found on several public and private repositories. The attackers obtain personal GitHub access tokens to make fake commits, which introduce malicious codes performing secret exfiltration and password stealing. The attackers then used these tokens to add the GitHub action file "hook.yml" which triggers on every code push event in the impacted repository. Checkmarx suggests that the attackers may have stolen these tokens through a malware, potentially through a malicious package delivered to the developers' devices. Most compromised users are from Indonesia, although it is unclear if there was a specific focus on this demographic. Checkmarx advises GitHub users to switch to fine-grained personal access tokens to limit permissions and reduce risks if compromised.

A survey by WinZip Enterprise found increased confidence in data security among industry professionals. 59% reported no security breach in the past year while 64% expect no breaching in the coming year. Though confidence is high, 21% of surveyed professionals felt unconfident about avoiding security breaches in the next year. 41% had experienced a security breach within the last 12 months. Security remains a top priority with 86% of nearly 500 IT professionals stating that security was extremely important to their company. The survey shows that 64% of security professionals identified malware and ransomware attacks as the primary concern. 42% highlighted concerns over vulnerabilities in cloud systems. Other threats include social engineering, phishing attacks, compromised or stolen security credentials, and weak passwords. Severely underestimated concerns compete in the light of accidental email leaks, weak backup and recovery strategies, and insecure removable media (flash drives). Budgets associated with data security are increasing – 78% of those surveyed plan to significantly or moderately increase their security-related spending. Most organizations are spending in the low to mid-six figures on data security – 35% reported a budget between $100,000 and $500,000. The growing importance of data security, and increased adoption of cloud technologies for remote or work-from-anywhere capabilities, are likely contributing to the increased spending on data security.

A new modular remote access trojan (RAT) called ZenRAT is being distributed through false installation packages of Bitwarden password manager, deliberately targeting Windows users. The malware, hosted on fake websites, redirects visitors on non-Windows systems to harmless web pages, while Windows users downloading Linux or macOS links are led to the legitimate Bitwarden website. The payload containing the malware, named 'Bitwarden-Installer-version-2023-7-1.exe', is a trojan version of the typical Bitwarden installation package containing a malicious .NET executable known as ApplicationRuntimeMonitor.exe. The malware gathers extensive data about the host, such as CPU and GPU names, browser credentials, installed applications and security software, and sends it to a command-and-control (C2) server operated by the threat actors. ZenRAT communicates logs, in plaintext, of system checks and module execution statuses to its C2 server, indicating that the malware can be extended with additional modules. Users are advised to mitigate such threats by downloading software only from trusted sources and verifying website authenticity. The revelation of ZenRAT coincides with ongoing campaigns by other malware such as Lumma Stealer and Stealc.

Google has announced a critical security flaw in the libwebp image library with the maximum severity score of 10.0 on the CVSS (Common Vulnerability Scoring System). This issue is currently under active exploitation. The flaw, tracked as CVE-2023-5129, is rooted in the Huffman coding algorithm. It occurs when a specially designed WebP lossless file causes libwebp to write data out of bounds to the heap. The issue appears to be similar to an underlying problem addressed by Apple, Google, and Mozilla in a recent bug fix. This earlier bug, tracked separately as CVE-2023-41064 and CVE-2023-4863, caused arbitrary code execution processing. Citizen Lab purports that CVE-2023-41064 was used conjointly with 2023-41061 for a zero-click iMessage exploit chain named BLASTPASS, which deploys notorious mercenary spyware known as Pegasus. Even though CVE-2023-4863's vulnerability was originally marked as a Google Chrome issue, further analysis shows that it also affects all applications that utilize the libwebp library to process WebP images—thus, its influence is broader than initially thought. Google has broadened its response to CVE-2023-4863 by including both ChromeOS and ChromeOS Flex Stable channel fixes with software version 15572.50.0. There have also been new disclosures regarding the exploitation of CVE-2023-0266 and CVE-2023-26083 by commercial spyware vendors targeting Android devices in December 2022.

A new phishing operation is hacking Microsoft Outlook using a ZeroFont technique, making malicious emails appear as safe. The ZeroFont phishing technique manipulates AI and natural language processing (NLP) systems in email security platforms by inserting hidden words or characters in emails and making them invisible to human targets but readable by NLP algorithms. This technique, first documented in 2018, can skew AI's interpretation of content and the result of security checks. In a recent example, a hacker used the ZeroFont technique to manipulate the message previews in the Microsoft Outlook, displaying a different message in the email list than in the preview pane. The system displays a bogus safety scan, which instills a false sense of legitimacy and security in the recipient. This, in turn, increases the likelihood of the recipient opening and engaging with the email. Additionally, other email clients may also be vulnerable to this type of attack. Outlook is just a known example. Users of all email clients should remain vigilant.

Sony has started investigating allegations of a cyberattack as two different hacker groups claimed responsibility for the same attack. The extortion group RansomedVC initially claimed to have successfully hacked Sony and extracted 260GB of its data, which they are attempting to sell for $2.5 million. A different threat actor named 'MajorNelson', on the other hand, claims it was responsible for the attack and has outright denied RansomedVC's claims. MajorNelson has leaked a 2.4GB compressed archive, containing an array of credentials and data files that it alleges belong to Sony. The shared data does seem to belong to Sony, although the actual authenticity of the claims by either group remains unverified. The situation is complex as both the hacker groups are vying for 'credit' for the hack. Still, it's clear that Sony has experienced a significant data leak and is investigating these claims further. This alleged cyberattack follows Sony's previous encounter with a major breach in 2014 where North Korean hackers targeted Sony Pictures.

Sony is investigating allegations of a cyberattack this week, with claims of responsibility coming in from different hacker groups including RansomedVC and another called MajorNelson. Over 3.14 GB of uncompressed data, purportedly belonging to Sony, has been leaked on hacker forums. RansomedVC initially claimed responsibility for hacking SONY.com, stating it had compromised the company's systems and intended to sell the stolen data. The group claimed to have stolen about 260GB of data and attempted to sell it for around $2.5 million. MajorNelson also claimed responsibility for the attack, stating it had "leaked for free" a 2.4 GB compressed data file containing data allegedly from Sony. MajorNelson also discredited RansomedVC's claims, accusing them of lying to gain influence. The veracity of either hacker group's claim could not be independently verified, and it remains unclear who is responsible for the purported attack.

Engineer Hubert Kario from Red Hat has discovered vulnerabilities in the 25-year-old RSA public-key cryptography naming this attack as Marvin. He found that some software which uses the PKCS#1 v1.5 padding scheme for RSA key exchange — once thought to be safe from Daniel Bleichenbacher's previously identified 'Oracle Threat' — are actually susceptible. Based on measuring the amount of time it takes to process specifically crafted RSA ciphertexts, an attacker can decrypt the target plaintext message and forge digital signatures. Attack times can vary drastically depending on the hardware and software being used, as well as the attacker's access. The vulnerability in the M2Crypto library was reported in October 2020 and partially fixed but is believed to still be susceptible to attacks. Kario's recommendation is to stop using the vulnerable RSA PKCS#1 v1.5 encryption as most modern systems rely on Elliptic Curve Diffie Hellman. Kario's research highlights a wider concern with any implementation that uses general-purpose integer implementation, including OpenSSL's BIGNUM, NSS's MPI, Java's BigInteger, Python's int, Rust's apint, Gnu MP's mpz_t, Go's math/big Int, etc, and may face similar issues.