Daily Brief

Gelsemium, an advanced persistent threat (APT) group known for cyberespionage, is conducting an attack on a Southeast Asian government that has been ongoing for six months. The group has been operational since 2014 and typically targets government, educational, and electronics manufacturers in East Asia and the Middle East. The attack was initially carried out by installing web shells, likely through exploiting vulnerabilities in internet-facing servers. Gelsemium then conducted basic network reconnaissance and lateral movement via SMB. The group employs tools like OwlProxy, SessionManager, Cobalt Strike, SpoolFool, and EarthWorm for lateral movement, data collection, and privilege escalation. The attackers adapt their approach as required, introducing new tools and strategies when their initial ones are thwarted by security solutions. Cybersecurity firm Unit 42's report on the attacks observes the group's tenacity and resourcefulness, using rarely seen backdoors linked to the threat actors.

Stealth Falcon APT, a state-sponsored hacking group from the UAE known for targeting activists, journalists, and dissidents, has deployed a sophisticated and modular backdoor malware named 'Deadglyph' in an attack against a Middle Eastern government agency. According to a report from ESET researcher Filip Jurčacko, Deadglyph is a new modular malware that infects Windows devices, though the means of initial infection remain unknown. The malware operates by infecting a system's Windows registry with an executable code. It also uses increasingly sophisticated measures to evade detection, including homoglyph attacks that mimic Microsoft's information using distinct Greek and Cyrillic Unicode characters. Deadglyph employs a modular approach, downloading modules from the command and control server (C2) that contain different shellcodes to carry out the tasks required by the threat actors. The malware's Orchestrator component is responsible for C2 communications and triggers a self-removal mechanism if it fails to establish communication with the C2 server after a certain period to avoid detection and analysis. Currently, ESET has preemptively identified three of Deadglyph's modules: a process creator, an info collector, and a file reader, revealing the highly complex and customized nature of the malware's operations.

TikTok has been taken over by fake videos promising access to leaked celebrity photos, encouraging users to download an online shopping app, Temu, and use a special referral code to supposedly view this content. Created by scammers, these misleading videos are aimed not at distributing malicious content but promoting referral rewards for the Temu online megastore. This online store allows customers to generate personal referral numbers and links, which can be shared on social media platforms to earn store credit or other rewards. Using captions implying the exposure of sensitive celebrity content, these scam videos try to bait viewers into downloading the app and using the mentioned referral number. TikTok users have begun to notice the influx of such scamming videos and are creating responses, questioning their validity. While this current scam only seeks to generate store credit, the same tactics have potential for more sinister purposes in the future, such as the spread of malware. An official response from TikTok and Temu regarding the issue is yet to be received.

Several high-severity security flaws have been discovered in products by Atlassian and the Internet Systems Consortium (ISC), potentially allowing for denial-of-service (DoS) attacks and remote code execution. Atlassian, an Australian software services provider, confirmed the existence of four such vulnerabilities but stated that they have been addressed in the new versions of their software released last month. Separately, ISC has disclosed and issued fixes for two major vulnerabilities in their Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite. These bugs could have permitted a DoS condition. These patches from ISC come three months after they remedied three other flaws in the BIND software, also capable of creating a DoS situation. Both companies' quick response to the discoveries of these flaws and the speedy roll-out of their updates mitigated any potential impacts on their clients. They show the importance of keeping software and systems updated to mitigate security risks.

Apple has issued patches for three CVE-listed flaws in its iOS, macOS systems after Intellexa's Predator spyware was found to have exploited these vulnerabilities to target an iPhone. The vulnerabilities reportedly allowed the spyware to gain execution within the OS kernel, bypass pointer authentication code protections, and steal data and spy on the user for Intellexa's client. Researchers from The Citizen Lab and Google’s Threat Analysis Group identified and reported these exploitations to Apple, following which the patches were released. Sources said that the Predator spyware exploited non-secure HTTP traffic for a man-in-the-middle attack and redirected the target's Safari browser to servers operated by the spyware's vendor. Intellexa, which was added to the US entity list as a national security threat in July, used the holes in the iOS and macOS systems to infect devices without users’ knowledge. Google also noted that Predator was installed "on Android devices in Egypt" using a different exploit chain, one of which was a flaw in Chrome patched on September 5. Apple, Google and Citizen Lab have advised users to promptly install the patches to avoid further exploitation and use secure HTTPS rather than insecure HTTP where possible.

Ethereum blockchain analytics company Nansen has experienced a data breach due to a third-party vendor's security incident. Around 6.8% of Nansen users had their email addresses exposed, while a smaller number had their blockchain addresses and password hashes compromised. The compromised third-party vendor had their admin panel accessed, which controls Nansen customer access on their analytics platform. Nansen has asked impacted users to change their passwords due to the potential for brute-forcing encryption and the risk of targeted phishing attacks. While the investigation is ongoing, Nansen has advised all its users to update their passwords as a precautionary measure, as the number of impacted users may increase.

The Government of Bermuda has experienced a cyberattack, affecting all its departments' IT systems, and initial evidence points to Russian hackers as the source. Services disrupted by the attack include internet, email, and phone. The Department of Information and Digital Technology (IDT) is working to restore service. Premier David Burt stated the investigation has so far found no evidence of data theft; he also revealed that some other regional governments may have been affected by similar attacks. Additional service disruptions are expected as the investigation and recovery efforts continue. Both payroll and vendor payments have been initiated, but delays are expected; currently, only cash and checks are being accepted. The Bermuda Government is working closely with Government House on the issue, and a press briefing is scheduled to provide further information about the investigation's findings.

Security researchers from Citizen Lab and Google's Threat Analysis Group (TAG) recently disclosed that three zero-day vulnerabilities patched by Apple were exploited to install Cytrox's Predator spyware on devices. The vulnerabilities were exploited using fake SMS and WhatsApp messages to target a former Egyptian MP Ahmed Eltantawy, who had declared his intentions to participate in the 2024 presidential election. On iOS devices, the attack initiated with a remote code execution in Safari using malicious web pages, followed by avoiding signature validation and kernel privilege escalation. The researchers revealed the exploit chain was automatically initiated following redesignation, deploying a tool to determine if the spyware should be installed on the compromised device. A separate exploit chain was observed installing Predator spyware on Android devices in Egypt, exploiting a zero-day Chrome bug for remote code execution. Apple's Security Engineering & Architecture Team confirmed that the iOS lockdown mode would have neutralized the attack. All at-risk Apple users are highly advised to promptly install Apple's security updates and enable lockdown mode to counter potential attacks exploiting this vulnerability. Citizen Lab attributes this network injection attack to the Egyptian government based on the prevalence of Cytrox's Predator spyware in the country and its physical location.

Kosi Goodness Simon-Ebo, a 29-year-old Nigerian national, has pleaded guilty to wire fraud and money laundering in a business email compromise (BEC) scam amounting to nearly $7 million. Simon-Ebo was extradited from Canada to the U.S in April last year. During 2017, while residing in South Africa, Simon-Ebo conspired with U.S. accomplices to compromise business and employee email accounts, which they then used to contact businesses with fraudulent payment requests. The scammers utilized spoofed email addresses to imitate trustworthy partners, resulting in the victims sending money to a series of bank accounts controlled by Simon-Ebo and his associates. The scammers successfully stole approximately $1 million out of the attempted $7 million, obscuring the money trace by circulating the funds through several accounts before withdrawing in cash. Simon-Ebo is due to receive his sentence on November 29, 2023, and faces up to 20 years imprisonment. He will also have to pay restitution amounting to $1,072,306, which is equivalent to the total losses suffered by the victims. Business email compromise schemes have continued to pose a significant threat to organizations worldwide. In 2021 alone, BEC-related losses amounted to almost $2.4 billion in the U.S, with Verizon reporting that BEC attacks had almost doubled in 2023.

The Royal ransomware gang breached the City of Dallas's network using a stolen domain service account and maintained access from early April to early May. In this period, the threat actors collected and exfiltrated over 1 Terabyte of files; they also started distributing Cobalt Strike command-and-control beacons across the City's systems. The attackers launched ransomware payloads in early May, using legitimate Microsoft administrative tools for server encryption. The City responded by initiating mitigation efforts, taking high-priority servers offline, and kick-starting service restoration efforts; the restoration process took over five weeks. Personal information of over 30,000 individuals was potentially exposed due to the attack, with information types including names, addresses, social security, health and health insurance details. The Dallas City Council has earmarked $8.5 million for ransomware attack restoration efforts, and final costs will be shared in due course. The Royal ransomware gang, believed to be an offshoot of the Conti cybercrime gang, exploits security flaws in publicly accessible devices and uses callback phishing attacks for network access.

Cyber criminal using the moniker, USDoD, claimed to have accessed and shared a 3GB+ database from credit agency TransUnion, containing private financial information for over 58,500 people. The data, supposedly leaked on a cyber-crime forum, included names, passport information, dates and places of birth, financial transaction summaries, credit scores, and loan details among other classified data. VX-Underground reported the data theft occurred on 2nd March 2022. While TransUnion confirmed a 2022 security breach (which compromised data for five million customers and 600,000 businesses), the company refutes recent claims by USDoD. In a statement, they asserted that their systems did not show signs of a breach or subsequent data exfiltration. TransUnion's investigations, involving internal and third-party cybersecurity and forensic experts, have indicated that the data and its formatting do not match TransUnion's internal information, implying the data was sourced from a third party thus directing blame away from the credit giant. The USDoD character previously breached the FBI's InfraGard system and leaked contacts for approximately 80,000 members, and attacked Airbus, exposing personal data from 3,200 vendors on a cyber-crime forum.

Abraham Lemma, a Dept of State (DoS) IT help desk contractor, has been arrested and charged with spying for Ethiopia by sharing classified United States national defense information with Ethiopian intelligence. Lemma has held positions within various US government agencies since 2019. Lemma's alleged espionage activities were discovered during an investigation into the DoS's handling of national defense information. This investigation was initiated in the aftermath of a separate instance of leaked classified documents by Air National Guardsman Jack Teixeira. Lemma, a naturalized US citizen born in Ethiopia, was accused of copying, printing, and downloading classified and top-secret information from over 100 US intelligence reports, mostly related to Ethiopia, between December 2022 and August 2023. Lemma allegedly shared classified national defense data "including documents, photographs, notes, maps," via an encrypted messaging app. This included top-secret satellite images, photos of a military compound, and information relating to military activities in the region. Court documents revealed that Lemma received large deposits, totalling over $55,000, which escalated following his travels to Ethiopia and on dates coinciding with when he reportedly shared classified materials. Lemma faces charges of delivering national defense information to aid a foreign government, conspiracy to deliver such information, and the willful retention of national defense information. The two espionage charges attract potential punishments of death or life in prison, with the willful retention charge carrying up to 10 years imprisonment.

The European Space Agency (ESA) has agreed to construct and launch the European Union's IRIS2 satellite constellation aimed at providing secure space-based communications for EU members and mitigating dependability on other nations' infrastructure. Originally planned in 2022 with a budget of €2.4 billion, the IRIS2 project aims to secure high-speed communication for civilian and defence use with advanced technologies such as 5G and quantum encryption. Despite initial service goals set for 2024 and full operational capacity by 2027, both timelines appear unlikely due to ESA's ongoing issues with its heavy launch vehicles. ESA's Ariane 6 launch vehicle is undergoing hydraulic group anomaly repairs ahead of a critical testing deadline in October. If delays persist, Arianespace's Vega launchers could potentially be used if the IRIS2 satellites weigh less than 2,200kg. European companies Airbus and Thales could also contribute their expertise to the project.

The 2023 MITRE Engenuity ATT&CK Evaluation critically tested the competence of 31 cybersecurity solutions, including Cynet, to withstand attacks modeled after tactics from real-life advanced persistent threat (APT) group, Turla. MITRE does not score or rank vendors but instead supplies raw data and basic comparison tools. This allows organizations to assess the relevance of the solutions based on their unique needs and priorities. Key measures of the evaluation included Overall Visibility (total number of detected attack steps), Detection Quality (percentage of attack sub-steps that identified a tactic or technique), and pre-configuration threat detection. Cynet performed exceptionally well in the evaluation, claiming 100% visibility and perfect detection for all attack steps. Cynet also managed to provide 100% analytic coverage for all attack steps. The webinar featuring Cynet CTO Aviad Hasnis and ISMG SVP Editorial Tom Field will provide further insights into Cynet's performance and guidance for cybersecurity leaders on interpreting these results.

Iranian nation-state actor known as OilRig orchestrated two cyber attack campaigns, termed Outer Space and Juicy Mix, targeting Israeli organizations in 2021 and 2022. OilRig deployed two backdoors, Solar and Mango, purportedly through spear-phishing emails, to gather sensitive data from browsers and the Windows Credential Manager. OilRig, affiliated with Iran's Ministry of Intelligence and Security (MOIS) and active since 2014, has used various tools to carry out information theft. In February, Trend Micro discovered OilRig's use of a simple backdoor to steal user credentials, showing its "flexibility to write new malware based on researched customer environments and access levels". The latest findings indicate the group's continued focus on Israel, utilising spear-phishing lures to trick potential targets into installing malware through sabotaged attachments. The group continues to innovate, creating new implants with backdoor capabilities, finding new ways for remote command execution, and deploying post-compromise tools to collect credentials, cookies, and browsing history.