Daily Brief

The Better Outcomes Registry & Network (BORN), an Ontario-based healthcare organization, has suffered a data breach affecting approximately 3.4 million people. The breach was part of a broader series of attacks by Clop ransomware leveraging a zero-day vulnerability (CVE-2023-34362) in the Progress MOVEit Transfer software. BORN became aware of the security breach on May 31 and took measures to isolate the impacted servers and contain the threat. The threat actors copied files containing sensitive information of primarily newborns and patients undergoing pregnancy care who had used BORN services between January 2010 and May 2023. BORN states there is currently no evidence of any stolen data circulating on the dark web or being misused for fraudulent purposes. The organization advises potentially impacted individuals to treat unsolicited communications with caution, and report any suspected fraudulent activity to the police and service providers.

Google will retire Gmail’s Basic HTML view in January 2024, requiring users to use modern browsers to access the webmail's Standard view. The Basic HTML view was a simplified version of Gmail supporting users with limited internet access, using older hardware, legacy web browsers or required tools like text-to-speech for the visually impaired. While Google did not provide specific reasons for its decision, users were notified in email notifications stating: "Once basic HTML view is disabled, users will automatically be redirected to the standard Gmail view which provides the latest in Gmail security and features." After the retirement date, only the Gmail service's Standard view will remain active, and users reliant on the Basic HTML view should prepare to transition or switch to desktop email clients. The retirement may impact those who need accessible features as the Basic HTML view often performs better with text-to-speech tools due to fewer technical complexities. Users of older hardware may prefer lightweight clients like Mozilla Thunderbird and Microsoft Outlook, over web-based platforms, while Thunderbird is known to work well with screen readers and offers display adjustment options for users with visual impairments.

Security researchers have discovered a new campaign distributing a new version of the Xenomorph Android malware, targeting users in the United States, Canada, Spain, Italy, Portugal, and Belgium. The newest version of the malware is focusing on users of cryptocurrency wallets and various U.S. financial institutions. Xenomorph, a banking trojan, had its origins in early 2022 and initially aimed at 56 European banks using screen overlay phishing. It was distributed via Google Play and had over 50,000 installations. The malware continues to evolve, with new versions said to be more modular and flexible. Its current distribution method involves a dropper named "BugDrop" that bypasses security features in Android 13 and a distribution platform "Zombinder" that embeds the threat in genuine Android apps' APK files. Users are primarily tricked into downloading the malicious APK via phishing pages posing as Chrome browser updates. The newest versions of the malware come with features enabling it to mimic other applications and simulate screen taps, bypassing certain security warnings. Security analysts were also able to uncover additional malicious payloads including the Android malware variants Medusa and Cabassous, the Windows information stealers RisePro and LummaC2, and the Private Loader malware loader through access to the malware operator's payload hosting infrastructure.

Mixin Network, a peer-to-peer digital assets transactional network, has halted deposits and withdrawals following a $200 million hack on September 23. The attack targeted the database of Mixin's cloud service provider. Mixin has promised to take action to address the loss of assets but any specific solutions will be announced at a later date. Blockchain trackers PeckShield and Lookonchain have identified about $141 million of the stolen assets. Despite suspicions due to their history with crypto heists, the Lazarus group of North Korean hackers has not been tied to the Mixin incident. This hack ranks as one of the most significant cryptocurrency thefts to date.

Ukrainian military bodies have been targeted in a phishing strategy that leverages drone manuals to deliver a commonly-used, Go-based, open-source post-exploitation toolkit known as Merlin. Phishing documents posing as drone service manuals have emerged, reflecting the crucial role that drones play in the Ukrainian military. Cybersecurity firm Securonix tracks this campaign under STARK#VORTEX, and their research reveals that the attack begins with a Microsoft Compiled HTML Help (CHM) file. When opened, it executes malicious JavaScript coded into one of the HTML pages, leading to a contact with a remote server to fetch an obfuscated binary. The obfuscated binary is then decoded to reveal the Merlin Agent. Once active, the software connects to a command-and-control (C2) server for post-exploitation actions, enabling the attacker to control the host device. This represents the first time that Merlin has been used to target Ukrainian government bodies. The Ukraine Computer Emergency Response Team (CERT-UA) has previously reported similar attack chains utilizing CHM files as decoys to infect computers with open-source tools. CERT-UA attribute these attacks to a threat actor it tracks as UAC-0154. The malicious activity comes after CERT-UA detected an unsuccessful cyber attack against a key energy infrastructure facility in Ukraine, attributing the attack to APT28, a Russian state-sponsored group.

AI tools like ChatGPT are increasing productivity in areas such as IT, customer experience, and engineering. Despite the benefits, AI use also presents significant risks; including IP leakage, data privacy threats, and the potential for cybercriminals to harness AI tools. Generative AI's potential for empowering cybercriminals was the second most-reported Q2 risk among senior enterprise risk executives in a Gartner survey. The webinar, hosted by Zscaler's Will Seaton, aims to inform participants on how to manage generative AI risk while enhancing productivity. It will cater to individuals already familiar with generative AI and those keen on learning about AI and ML innovations. The discussion will focus on the threat posed by generative AI in the cybersecurity space and how AI-powered innovation at Zscaler can help secure data, applications, and users. The webinar is scheduled for October 2nd.

Weak password policies are leaving organizations vulnerable to attacks and almost 83% of compromised passwords would meet the password complexity and length requirements of compliance standards. Stolen credentials are traded on the dark web following data breaches, which are then used in 'credential stuffing' attacks; in these, attackers automatically input numerous combinations of usernames and passwords on various websites. The number of stolen credentials available for such attacks has increased due to the growing frequency and scale of data breaches. More than 44 million Microsoft users were found to be reusing passwords in one analysis over a three-month period, a practice that increases vulnerability to account breaches. More than 15 billion stolen credentials are currently on the dark web, including from recently attacked companies like PayPal. Organizations can safeguard their accounts by identifying breached passwords quickly and notifying affected accounts. This can be achieved with paid tools like Specops Password Policy, or free options, such as Specops Password Auditor. Also, a rigorous implementation of stringent password policies that include requirements like password length, complexity, and avoiding common character patterns would go a long way in mitigating credential stuffing threats.

Tibetan, Uyghur, and Taiwanese individuals and organizations have been persistently targeted by a threat actor codenamed EvilBamboo in a bid to gather sensitive information. The attacker has created fake Tibetan websites and social media profiles to deploy browser-based exploits against the targeted users. EvilBamboo has been linked to multiple attack waves since 2019, using watering hole attacks to deliver spyware that targets Android and iOS devices. The group uses Android malware such as ActionSpy and PluginPhantom to gather data from infected devices disguised as dictionary, keyboard, and prayer apps on third-party app stores. The latest findings attribute to EvilBamboo three new Android espionage tools: BADBAZAAR, BADSIGNAL, and BADSOLAR. The attack chains used for malware distribution also include APK sharing forums, bogus social media profiles, and Telegram groups sharing Android apps. Researchers warn that these campaigns highlight the importance of only installing apps from trusted authors and the lack of effective security measures to prevent malicious apps from appearing on official app stores.

T-Mobile US confirmed that a system glitch briefly exposed data of fewer than 100 customers. Though some concluded that another cyber breach had occurred, T-Mobile denied that anything beyond this glitch happened and stressed it has been quickly resolved. Allegations of an additional T-Mobile data leak were raised by malware repository vx-underground on Twitter. However, T-Mobile examined the data and identified independently-owned dealer, Connectivity Source as the source, due to a breach suffered by them in April. Connectivity Source, which exclusively acts as a white-labeled T-Mobile US retailer, was the target of a breach in April that saw approximately 17,835 employee data records across the US stolen. Additional tech security news included the release of GitLab's security update, Atlassian's serious security patches, significant vulnerabilities in OT systems, and Palo Alto Networks' discovery of a fake PoC being used to distribute malware. Cyber insurance firm Coalition reported a 27% YoY increase in ransomware claims in 1H 2023. The severity of these claims has climbed by 61% in the same timeframe and by 117% over the past year. Sophos highlighted a rise in pig butchering scams targeting cryptocurrency liquidity mining, with one particular scam circle making over $1 million in just three months.

An unnamed Southeast Asian government has been subjected to a persistent cyberespionage campaign by multiple China-affiliated threat actors. The campaign spanned from Q2 2021 to Q3 2023. Cybersecurity researchers have identified three distinct clusters of attack, each with their own unique tools and modus operandi. These clusters are referred to as Stately Taurus (aka Mustang Panda), Alloy Taurus (aka Granite Typhoon), and Gelsemium. The Mustang Panda cluster focused on stealing sensitive information and maintaining a clandestine foothold. Various notable software including LadonGo, AdFind, Mimikatz, Impacket, China Chopper web shells, Cobalt Strike, ShadowPad, and a new version of the TONESHELL backdoor were deployed for this purpose. The Alloy Taurus intrusion commenced in early 2022, employing undercover techniques and vulnerabilities in Microsoft Exchange Servers for long-term persistence and reconnaissance. Unique .NET backdoors, Zapoa and ReShell, were also used to execute remote commands and harvest sensitive data. The Gelsemium cluster targeted vulnerable IIS servers with the intent to covertly gather intelligence. It utilized tools such as Cobalt Strike, Meterpreter, Earthworm, and SpoolFool for post-exploitation, and other backdoors like OwlProxy and SessionManager. The consistent feature across all the activities was the use of nefarious software tools and techniques to exploit vulnerabilities, steal sensitive documents, and maintain long-term operations. The intention behind these activities appears to be persistently gathering and exfiltrating sensitive documents and intelligence.

An unidentified threat actor, dubbed 'Sandman,' is behind cyberattacks on telecoms providers in the Middle East, Western Europe, and South Asia. The actor employs a Just-In-Time (JIT) compiler (LuaJIT) for the Lua programming language to deploy new malware termed 'LuaDream.' The 'Sandman' activities involve strategic lateral movement and minimal engagement, suggesting a strategic and deliberate approach to minimize detection risk. Researchers noted that the LuaDream operation indicates a large-scale project that is well developed and actively maintained. SentinelOne first observed the attacks in August 2023; analysis of the implant's source code dates the preparatory work back to June 2022. Researchers suspect that LuaDream is a variant of a new malware strain referred to as 'DreamLand' by Kaspersky. LuaDream is a modular, multi-protocol backdoor primarily designed to exfiltrate system and user information and manage attacker-provided plugins for feature expansion. This malware also uses anti-debugging capabilities to evade detection and analysis. Initial methods of access remain unclear; the actor is observed stealing administrative credentials and conducting reconnaissance activities to breach targeted workstations and deliver LuaDream. The discovery of this activity corresponds with reports of sustained strategic intrusions by Chinese threat actors, targeting telecommunication, finance, and government sectors in Africa. SentinelOne detected a compromise of a North African telecommunications entity coinciding with their private discussions for further regional expansion. The Sandman threat actor's cyberattacks and those by Chinese groups indicate concerted efforts by threat actors to shape policies and narratives aligned with geostrategic ambitions, signifying the need for advanced defensive measures and holistic cybersecurity strategies.

Apple has released numerous security patches to fix three actively exploited zero-day vulnerabilities across its iOS, iPadOS, macOS, watchOS, and Safari software, pushing their total zero-day bug find for the year to 16. The tech giant has not provided specifics about the security issues but did note that the vulnerabilities had potentially been exploited against versions of iOS earlier than iOS 16.7. Bill Marczak from the Citizen Lab at the University of Toronto's Munk School and Maddie Stone from Google's Threat Analysis Group (TAG), who both reported the flaws, suggest they may have been used for malicious spyware aimed at civil society individuals at high risk of cyber threats. Two weeks prior, Apple dealt with two other exploited zero-day flaws (CVE-2023-41061 and CVE-2023-41064) used in a zero-click iMessage exploit chain named BLASTPASS to distribute Pegasus, an infamous spyware. An analysis from cybersecurity firm Rezilion highlighted that a flaw in the libwebp library, already patched by Google and Mozilla, exists across various operating systems, software packages, Linux apps, and container images, broadening the potential attack surface.

The exploit chain that utilized three zero-day vulnerabilities in Apple's software in an attempt to deliver the Predator spyware to former Egyptian MP Ahmed Eltantawy has been addressed by Apple on September 21, 2023. Citizen Lab, which attributed this attack to the Egyptian government due to their known usage of the spyware tool, reported that the attack was executed from May till September, after Eltantawy publicly stated his plans for the 2024 Presidential elections. The commercial spying tool was delivered via links sent through SMS and WhatsApp, and when Eltantawy visited certain non-HTTPS websites, he was redirected to a malicious website, hosting the Predator spyware. The exploited vulnerabilities, labelled as CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, could bypass certificate validation, escalate privileges, and facilitate remote code execution on the targeted devices. Predator, developed by Cytrox, is comparable to the Pegasus spyware by NSO Group, allowing its users to surveil their targets and extract sensitive data from the compromised devices. The U.S. government blocklisted Cytrox, part of the Intellexa Alliance, in July 2023 for "enabling campaigns of repression and other human rights abuses." Google TAG also discovered an exploit chain that used a remote code execution flaw in the Chrome web browser (CVE-2023-4762), potentially enabling the delivery of Predator on Android devices. In light of these findings, Citizen Lab emphasizes the potential for abuse of surveillance tools to target civil society and highlights the vulnerabilities in the telecom ecosystem that can be exploited to intercept network traffic and inject malware.

Cybersecurity researchers have unearthed an advanced backdoor malware named "Deadglyph" utilized by Stealth Falcon, a threat actor involved in cyber espionage. Unlike typical malware, which is designed using single programming language, Deadglyph is a blend of a native x64 binary and a .NET assembly, potentially to hinder analysis and debug. Actor-controlled servers issue commands to the malware in the form of additional modules, enabling the creation of new processes, reading of files, and extraction of information from compromised systems. Stealth Falcon, first revealed in 2016, was associated with a series of spyware attacks targeted at journalists, activists, and dissidents in the Middle East using spear-phishing tactics. The group is suspected to be the same actor behind Project Raven, an operation involving former U.S. intelligence operatives employed by a cybersecurity firm named DarkMatter and hired to spy on critics of the Arab monarchy. Deadglyph, Stealth Falcon's latest tool, was discovered during an intrusion at an undisclosed governmental entity in the Middle East. ESET revealed that the malware has several counter-detection mechanisms, including the continuous monitoring of system processes, randomized network patterns, and the capability to uninstall itself to minimize detection.

Air Canada reported a cybersecurity incident in which hackers "briefly" gained limited access to its internal systems resulting in the theft of certain employee records. The airline emphasized that its flight operations systems and customer-facing systems were not affected, and customer information was not accessed or compromised during the incident. Air Canada has reached out to the affected employees and relevant law enforcement authorities, and confirmed all its systems are currently fully operational after this brief breach. Following the incident, the airline has implemented additional security measures with the assistance of global cybersecurity experts to prevent such incidents in the future. This is not the first time Air Canada experienced a security breach. In 2018, profile information of 20,000 mobile app users were accessed by unauthorized parties, prompting the airline to temporarily lockout all its 1.7 million mobile app accounts as a safeguard.