Daily Brief

Iranian group MuddyWater, linked to Iran's Ministry of Intelligence, has been using a new C2 framework, MuddyC2Go, for cyber espionage, particularly targeting African telecom sectors. Broad security expert teams, like Symantec's Threat Hunter Team, are closely monitoring the group's activity, known by various aliases, including Seedworm and TEMP.Zagros. MuddyC2Go, which may have been in use as early as 2020, allows for remote access to compromised systems via an embedded PowerShell script connecting to the group's servers. Recent attacks in November 2023 employed MuddyC2Go alongside other tools, such as custom keyloggers, Venom Proxy, and legitimate remote access software, for initial infiltration and persistence in victim networks. MuddyWater's campaign includes phishing, exploitation of unpatched systems, reconnaissance, lateral movement, and data exfiltration, all while trying to remain undetected by blending with legitimate tools and operations. The group continues to evolve their toolset and tactics, emphasizing that organizations need to monitor and secure against suspicious use of PowerShell. The article also refers to retaliatory cyber activity by an Israeli-linked group, Gonjeshke Darande, targeting Iranian infrastructure in response to regional aggression.

A new malvertising campaign is distributing malware, including PikaBot, disguised as legitimate software such as AnyDesk. PikaBot, emerging in 2023, is known for enabling threat actors to execute commands and further distribute malware payloads, such as Cobalt Strike, from remote servers. Cybersecurity researchers have identified that the malware is propagated via a malicious Google ad that directs users to a counterfeit website delivering the malware. Threat actors are using sophisticated techniques to bypass security measures, including fingerprinting to filter out virtual machines and leveraging legitimate marketing platforms for redirection. Malicious ads have also been found targeting other popular software searches, suggesting a systemic malvertising effort to compromise network security. Trend Micro revealed a new rogue Chrome extension, ParaSiteSnatcher, specifically targeting Latin American users, which intercepts sensitive financial information using extensive permissions. The continuous rise of malvertising and browser-based attacks highlights the need for enhanced security practices like Zero Trust to secure data.

Xfinity disclosed a massive data breach involving an attacker exploiting a critical vulnerability in Citrix systems, known as Citrix Bleed (CVE-2023-4966). Detected between October 16-19, following a Citrix update on October 25, the breach resulted in the exfiltration of personal data for more than 35 million customers. Compromised information may include usernames, hashed passwords, partial social security numbers, contact details, dates of birth, and security question answers. Xfinity had customers reset passwords and notified affected parties, though confusion arose when users received reset prompts without an initial explanation. In a previous incident one year ago, Xfinity accounts were hacked, leading to additional breaches on platforms such as Coinbase and Gemini. Comcast insists that the breach did not affect its operations and claims that no customer data has been leaked nor any ransom demanded following the incident. The company reinforces the importance of using two-factor or multi-factor authentication as an additional security measure.

Qakbot malware has resurged just months after a major law enforcement takedown dubbed Operation Duck Hunt. Microsoft Threat Intelligence reports a new low-volume Qakbot phishing campaign targeting the hospitality sector with malicious PDFs. The recent campaign uses a PDF template similar to the one used by Pikabot malware, both associated with group TA577. An updated Qakbot version features 64-bit architecture, AES network encryption, and has new communication patterns. Despite the operation's initial success in seizing Qakbot's infrastructure and operators' crypto wallets, no arrests were made, challenging long-term efficacy. Cybersecurity experts caution that without making arrests, malware networks like Qakbot are likely to adapt and resurface, stressing the need for organizations to maintain strong cybersecurity practices. Comparisons are drawn to Emotet's resurgence post-law enforcement crackdown, suggesting a potential pattern for Qakbot's continued activity.

The 8220 Gang has been exploiting a vulnerability in Oracle WebLogic Server, identified as CVE-2020-14883, to spread malware. This remote code execution vulnerability permits attackers with credentials to take control of affected servers. Attackers use compromised credentials or exploit another vulnerability, CVE-2020-14882, to bypass authentication on Oracle WebLogic Server. The gang has a track record of using security flaws for cryptojacking operations, including a previous Oracle WebLogic Server vulnerability from May. Recent attacks use crafted XML files to execute code that deploys stealer and mining malware, such as Agent Tesla, rhajk, and nasqa. Industries targeted by these attacks include healthcare, telecommunications, and financial services in various countries, including the U.S. and Mexico. Despite their relatively unsophisticated methods, the 8220 Gang is adapting their techniques to skirt detection.

Approximately 300 organizations worldwide have been impacted by the Play ransomware according to a joint advisory from Australia and the U.S. Play ransomware, also known as Balloonfly or PlayCrypt, exploits vulnerabilities in Microsoft Exchange servers and Fortinet appliances to deploy malware. Ransomware attacks are shifting from phishing to exploiting vulnerabilities, with a significant increase noted in the first half of 2023. Adlumin's report suggests that Play has evolved into a ransomware-as-a-service (RaaS) operation, indicating a growing trend in the cybercriminal ecosystem. The Play ransomware group specializes in the double-extortion tactic, encouraging victims to contact them via email for ransom negotiations. U.S. government agencies also shed light on groups like Karakurt, which focus on extortion without encryption, and the temporary offline status of BlackCat ransomware's portals due to speculated law enforcement activity or hardware issues. Collaborations among ransomware groups, such as the joint campaign between BianLian, White Rabbit, and Mario, are becoming more common and are influenced by the roles of initial access brokers and the dispersal of cybercriminal networks following law enforcement actions.

Comcast's Xfinity confirmed a data breach resulting from a hacked Citrix server. The intrusion was detected after attackers exploited a critical Citrix vulnerability known as CVE-2023-4966. The security breach, occurring between October 16 and October 19, was investigated and confirmed stolen customer data on November 16. Compromised information includes usernames, hashed passwords, and potentially additional personal data. Xfinity has responded by prompting users to reset passwords, though reasons for resets were not initially communicated to customers. This incident follows a previous breach a year ago where Xfinity accounts were hacked and used to compromise other service accounts like Coinbase and Gemini. The ongoing investigation aims to understand the full scope and impact of the breach while Xfinity heightens security measures to protect user accounts.

Hacktivist group Predatory Sparrow claimed responsibility for a cyberattack that disrupted roughly 70% of Iran's gas stations. Iran's Oil Minister confirmed an attack on IT systems, leading to extended queues and jammed traffic as citizens struggled to refuel. The incidents took place during heightened tensions in the Middle East, particularly between Iran and Israel over the ongoing Gaza conflict. Predatory Sparrow, which has been linked to previous cyberattacks on Iranian infrastructure, suggested the attacks were a response to Iranian regional actions and signaled possible ties to a nation-state. The group attempted to limit potential damage from their cyberattack, claiming to take precautions to avoid impacting emergency services. Simultaneously, pro-Hamas groups have stepped up cyberattacks on Israeli and American targets, and Israel blamed Iran and Hezbollah for a cyberattack on Safed's Ziv Medical Center. Iran's accusations and the technical sophistication of the attacks hint at a more complex landscape potentially involving state-sponsored activities rather than mere hacktivism.

Mortgage lender Mr Cooper experienced a significant data breach, compromising the personal information of nearly 14.7 million individuals. The breach was initially reported in October as an isolated incident, but recent filings reveal an extensive loss of highly sensitive data. Unauthorized system access occurred between October 30 and November 1, 2023, leading to the theft of names, addresses, social security numbers, dates of birth, and bank account information. The breach has been found to affect customers of Mr Cooper and associated brands such as Nationstar Mortgage LLC and Centex Home Equity. Mr Cooper is actively monitoring the dark web for potential misuse of the stolen data and offers two years of free credit monitoring to affected individuals. The company has issued an apology and emphasized the importance of customer trust, while also disclosing increased estimated costs related to the breach to $25 million. Ongoing forensic investigations, interactions with law enforcement, and legal defenses continue as the company addresses the consequences of the cyberattack.

Microsoft identified a critical remote code execution flaw, CVE-2023-45849, in Perforce Helix Core Server, risking privileged access by unauthenticated attackers. Four vulnerabilities were reported in total, with three causing potential denial of service disruptions. Perforce Helix Core Server is widely used in industries like gaming, government, military, and technology, amplifying the potential impact of exploitation. Microsoft, a user of the Perforce platform for game development, conducted a security review and reported the issues to Perforce responsibly. There have been no known exploitation attempts in the wild, but upgrading to the patched version 2023.1/2513900 is strongly advised to mitigate risks. Microsoft recommends additional protective measures, including following Perforce's official security guidelines, to secure systems against these vulnerabilities.

VF Corp, the parent company of The North Face and Vans, experienced significant operational disruptions due to a cyber intrusion detected on December 13. The attack involved encryption of IT systems and theft of data, including personal information, suggesting a ransomware incident. Retail stores remain open, and e-commerce sites are accepting orders, but the company’s order fulfillment capabilities are currently compromised. VF Corp responded promptly by containing the threat, commissioning a cybersecurity firm for investigation, and collaborating with federal law enforcement. The corporation is actively working on remediation efforts to minimize the impact on retail and wholesale customer service. The SEC filing by VF acknowledges that the cyberattack will have a material impact on its business operations, but the full financial implications are yet to be determined. This cyberattack follows other significant breaches this year, including a costly network breach at Clorox Company and ransomware attacks on Caesars Entertainment and MGM Resorts.

VF Corporation, owner of prominent brands like Vans and The North Face, reported a ransomware attack that disrupted their business operations. The cyberattack on December 13, 2023, led to the encryption of some of the company’s computers and the theft of personal data. VF Corp responded by shutting down affected systems and engaging external security experts to mitigate the breach. The specifics regarding whose personal data was compromised—whether it be employees, partners, or customers—remain unclear, with no ransomware group claiming the attack. The incident has significantly impacted VF Corp’s operations and is likely to continue affecting the business as recovery efforts are underway. Physical retail stores of VF Corp's brands remain operational worldwide, but delays are expected in fulfilling online orders and potential issues in placing new orders. The company is currently evaluating the full extent of the breach and its implications on financials and operations, with the situation exacerbated by the timing of the Christmas shopping season.

Microsoft launches a new troubleshooter to correct a widespread issue where Windows PCs mislabel printers as HP LaserJet M101-M106. Users reported printers being renamed and the HP Smart app installing without prompting across various online platforms and Microsoft's community site. The problem stems from incorrect printer metadata introduced in late November and affects Windows 10 (version 1809 or later) and Windows Server 2012 or newer. The troubleshooter restores correct printer model information and removes unrelated HP Smart app installations. Enterprise administrators are advised to run the tool with Local System account privileges to address the issue across all users on a system. Microsoft indicates that it might take several hours for the changes to take effect once the troubleshooter has been run. This incident follows a previous similar issue earlier in the year, which affected certain printers' automatic Wi-Fi connection setup.

The FBI, CISA, and ASD's ACSC have jointly warned that the Play ransomware group has compromised approximately 300 organizations, including critical infrastructure. Attacks by the Play ransomware, starting in June 2022, have affected sectors across North America, South America, and Europe. Unlike typical ransomware groups, Play's affiliates use email for negotiation and steal sensitive data before encrypting victims' files. High-profile victims include the City of Oakland, car retailer Arnold Clark, Rackspace, and the Belgian city of Antwerp. The advisory recommends that organizations address known vulnerabilities, implement multifactor authentication, and regularly update and patch software. Government agencies advise adhering to the mitigation strategies in the joint advisory, which includes maintaining offline backups and implementing a recovery plan.

Two patched security flaws in Microsoft Windows could be exploited for zero-click remote code execution (RCE) in Outlook. The vulnerabilities, CVE-2023-35384 and CVE-2023-36710, could lead to unauthorized Outlook server access and NTLM credential theft. Russian APT29 has actively exploited similar flaws for unauthorized Exchange server access. CVE-2023-35384 bypasses a security flaw patched in March, while CVE-2023-36710 involves an integer overflow in Windows Audio Compression Manager. An attacker could make Outlook clients download and autoplay a malicious sound file causing RCE without user interaction. To counter these threats, organizations are advised to use microsegmentation, disable NTLM, or add users to the Protected Users security group.