Daily Brief

Delta Dental of California experienced a data breach due to MOVEit Transfer software vulnerability, exposing personal information of nearly 7 million people. A zero-day SQL injection flaw, CVE-2023-34362, was exploited, which allowed the Clop ransomware group to access thousands of organizations. Unauthorized access to Delta Dental's system occurred between May 27 and May 30, 2023, with the breach confirmed following an investigation on June 6, 2023. Compromised data includes names, financial account numbers, and credit/debit card information, including security codes. Delta Dental is offering 24 months of free credit monitoring and identity theft protection services to impacted customers. Impacted customers are advised to be vigilant against unsolicited communications that may lead to phishing or scams. This incident ranks as the third-largest in a series of breaches involving MOVEit software, trailing behind incidents at Maximus and Welltok.

Incident responders have discovered a new multi-platform malware named NKAbuse, which uses the New Kind of Network (NKN) protocol to conduct its operations. NKAbuse is capable of performing DDoS attacks, offering remote access trojan (RAT) functionality, and operates across multiple architectures, with a preference for Linux. The malware exploits the CVE-2017-5638 vulnerability in Apache Struts 2 to spread and can adapt payloads based on the victim's operating system. NKAbuse achieves persistence on compromised systems by creating cron jobs and ensures reliability and anonymity through the blockchain-based NKN protocol, making its traffic harder to trace. It is equipped with a variety of DDoS attack methods associated with known botnets and has comprehensive RAT capabilities, enabling attackers to perform a wide range of malicious activities. Victims have been identified in various countries including Mexico, Colombia, and Vietnam, demonstrating NKAbuse's global reach and potential for expansion.

A newly identified KV-botnet is targeting devices from Cisco, DrayTek, Fortinet, and NETGEAR for covert operations. The botnet is linked to Volt Typhoon, a threat actor with connections to China, and has been active since at least February 2022. Consisting of two clusters, KY and JDY, the botnet enables access to high-profile victims and establishes covert infrastructure. Telemetry data indicates botnet control from China-based IP addresses, with KY focusing on high-profile targets and JDY on broader scanning. The initial infection mechanism remains unknown, but once installed, the malware prioritizes its own persistence and prepares to receive further instructions. Recent changes to the botnet's infrastructure suggest preparation for new attacks, possibly targeting Axis IP cameras. The malware operates solely in memory, complicating detection but allowing for removal by power-cycling the infected device, although re-infection risks remain.

The FBI, CISA, Treasury Department, and Financial Crimes Enforcement Network have issued an alert on the Karakurt extortion gang's tactics. Karakurt targets organizations indiscriminately, stealing data without encrypting assets, and demands ransom with serious harassment strategies. Ransom demands range from $25,000 to $13 million, paid in Bitcoin, with a one-week deadline after initial contact. The gang gains access through stolen credentials, vulnerabilities in VPNs like Cisco AnyConnect, compromised SonicWall appliances, and outdated servers. Karakurt utilizes tools such as Cobalt Strike, Mimikatz, and AnyDesk to steal credentials, maintain access, and exfiltrate large volumes of data. Victims report that despite paying ransoms, Karakurt does not always honor promises to maintain the confidentiality of stolen data. Officials strongly advise against paying ransoms and have issued indicators of compromise, including tool signatures and email addresses associated with the gang.

Ledger's software supply chain was breached due to a phishing attack on a former employee, leading to a significant theft of virtual assets. Over $600,000 was stolen after threat actors gained access to Ledger's npm account and propagated malicious code in the "@ledgerhq/connect-kit" module. Attackers uploaded three tainted versions of the module which included a crypto drainer malware that rerouted funds to hacker-controlled wallets. The tampered modules were used to display fake prompts to users, deceiving them into connecting their wallets and subsequently draining funds. Although the malicious versions were live for approximately five hours, the actual window of fund drainage was less than two hours. Ledger has since removed the compromised versions, released a mitigated update, and reported the incident, leading to the freezing of stolen funds by stablecoin issuer Tether. This incident reflects the increasing use of software registries for malware distribution via supply chain attacks, particularly targeting crypto assets for swift financial gains.

Web applications are increasingly targeted by attackers due to the wealth of sensitive data they process and store. SQL Injections and Broken Access Control (BAC) are among the most prevalent vulnerabilities in web applications. SQL Injections can manipulate a backend database to unlawfully access data by injecting malicious SQL code. BAC has become the top web application security risk, with incidents including both vertical and horizontal privilege escalations. A practical approach to preventing SQL injections is input validation, which involves treating user input as data values instead of executable code. While Web Application Firewalls (WAFs) can improve security, they are not foolproof and can be circumvented by zero-day exploits. Secure coding practices, proper sanitization, and the principle of least privilege are fundamental to protecting web applications alongside WAFs. Incident response and recovery plans are critical for mitigating attacks, with expert consultation and reporting mechanisms in place for immediate support.

Multiple security vulnerabilities have been identified in the pfSense firewall software, which could allow attackers to execute arbitrary commands. The issues include two reflected cross-site scripting (XSS) bugs and one command injection flaw that can be exploited by deceiving an authenticated user. An attacker can inject malicious scripts that are executed on the admin user's web browser, enabling unauthorized actions within the firewall with root-level access. Successful exploitation could lead to attackers spying on internal traffic or attacking services on the local network. The vulnerabilities primarily affect pfSense CE 2.7.0 and below, as well as pfSense Plus 23.05.1 and below. Patches have been released with pfSense CE 2.7.1 and pfSense Plus 23.09 following a responsible disclosure on July 3, 2023. The disclosure comes after Sonar's recent identification of a remote code execution flaw in Microsoft Visual Studio Code, which was patched in the September 2023 updates.

The Information Commissioner's Office (ICO) has reminded businesses to properly use email fields to prevent personal data breaches. Staff must be trained to correctly use the "CC" (carbon copy) and "BCC" (blind carbon copy) features, with various incidents reported due to misuse. Case studies showed personal email addresses openly shared due to incorrect usage of "To" or "CC" instead of "BCC," revealing information about individuals. An NHS Trust and a charity were highlighted as examples where such errors resulted in the identification of trust patients and disclosed email addresses of HIV advisory board members. The ICO underscores the importance of understanding the distinction between "CC" and "BCC," implementing warning systems for potential misuse, and considering delays before sending emails to allow error correction. Additional advice includes turning off the autocomplete function to avoid unintended recipients and evaluating whether email is the best method for sharing information, including when using third-party services. Organizations are encouraged to take a risk-based approach to email communications, ensuring they adhere to privacy requirements and best practices.

Google will begin testing a new "Tracking Protection" feature in Chrome to block third-party cookies for 1% of users from January 4, 2024. The feature aims to restrict cross-site tracking by disabling non-essential cookies by default, enhancing user privacy without compromising access to free content. Participants for the initial test are randomly selected and will be notified upon using Chrome on desktop or Android devices. Major browsers like Safari and Firefox have already implemented similar restrictions, but Google's approach seeks to balance privacy with continued support for ad-funded online services. Third-party cookies will be phased out for all Chrome users starting in Q3 2024, following initial testing and feedback. Google's Privacy Sandbox initiative will use data aggregation, limitations, and obfuscation instead of cross-site user identifiers to maintain privacy while still enabling targeted advertising and ad performance measurement. Google commits to evolving Chrome into a browser that's more private and accessible, underscoring the company's dedication to user privacy advancements.

NKAbuse, a new malware exploiting the NKN blockchain network, has been identified to perform DDoS attacks and act as a backdoor implant. The malware communicates using the NKN protocol with over 62,000 nodes to share commands and data exchange between compromised systems. Primarily targeting Linux systems including IoT devices, it leverages a six-year-old vulnerability in Apache Struts to infiltrate systems. NKAbuse is coded in Go and supports various CPU architectures without a self-propagation mechanism, relying on other methods for initial delivery. Persistence is achieved through cron jobs, and elevated privileges are required for its functions that include system information reporting, screenshot capture, file management, and command execution. The use of blockchain technology affords the botnet reliability and anonymity, signaling the potential for growth without a discernible command center. NKN co-founder expresses surprise and intent to understand and mitigate the misuse of their technology to ensure internet safety and neutrality.

Kraft Heinz is investigating claims of a cyberattack on a decommissioned marketing website after being listed on Snatch extortion group's data leak site. Snatch announced they breached Kraft Heinz, but no evidence or stolen data has been provided to substantiate these claims. As one of the largest food and beverage companies, Kraft Heinz operates globally with well-known brands such as Oscar Mayer and Philadelphia. Despite the extortion group's assertions, Kraft Heinz reports that their internal systems are functioning normally with no signs of a broader cyberattack. Snatch, historically known for ransomware activities, claims to have shifted focus from encrypting victims' files to solely data exfiltration and extortion. The United States Cybersecurity and Infrastructure Security Agency (CISA) identifies data on Snatch's website originating from both their operations and other ransomware groups, which contradicts Snatch Team's claim of not engaging in ransomware attacks.

NKAbuse, a novel multi-platform malware, leverages NKN (New Kind of Network) blockchain technology for stealthy communication, posing a new kind of threat. The malware primarily targets Linux devices in Mexico, Colombia, and Vietnam, and it has been seen exploiting an older Apache Struts vulnerability to infiltrate systems. NKAbuse can compromise various architectures including IoT devices, as well as MIPS, ARM, and x86 systems. It conducts hard-to-trace DDoS attacks, using the NKN protocol, which isn’t widely monitored by security tools, effectively hiding its source. The malware serves as a remote access trojan (RAT), allowing attackers to execute commands, exfiltrate data, and capture screenshots. Kaspersky's analysis reveals NKAbuse to be a sophisticated and versatile tool capable of a range of attack methodologies, complicating defense efforts. The use of blockchain to manage C2 (command and control) communications provides the attackers with resilience and obfuscation, which are not common in traditional DDoS botnets.

Microsoft took action against Storm-1152, a cybercrime group known for selling fraudulent Microsoft accounts. The operation involved seizing US-based websites that offered illegal services such as fake email accounts and CAPTCHA-solving tokens. Storm-1152 has been associated with significant financial gains from their activities, causing substantial losses for Microsoft customers. Court-ordered action was initiated after the group's activities were deemed harmful and were using Microsoft trademarks without authorization. The three individuals leading Storm-1152, all based in Vietnam, were identified in the legal proceedings. Their services were linked to notable attacks by Scattered Spider, including massive ransomware incursions against Las Vegas casinos. The action by Microsoft is part of ongoing efforts to fight cybercrime and mitigate its impacts on companies and the general public.

Ubiquiti users reported being able to access and receive notifications from other users' devices via the UniFi cloud platform. The issue was first spotted when a user received a notification from a camera they did not own, leading to concerns about privacy and security. Other users experienced similar issues, gaining complete access to devices and control panels that were not theirs, with the situation reverting to normal after refreshing the web page. Ubiquiti responded to inquiries, stating they are reviewing the situation and will issue a statement after thorough investigation. The company has since attributed the problem to a misconfiguration during a cloud infrastructure upgrade, which led to two groups of accounts having cross-access for a limited time. A total of 1,216 Ubiquiti accounts were affected, with the company identifying that only twelve accounts saw improper access, promising to notify impacted users via email.

Ten new Android banking trojans emerged in 2023, targeting 985 financial apps in 61 countries. Banking trojans aim to steal online bank account credentials, bypass two-factor authentication, and commit fraud. The malware often appears as utilities, games, or productivity apps and has been found to target personal data and social media. Among the updated existing families of malware are Teabot, Exobot, Mysterybot, Medusa, Cabossous, Anubis, and Coper. The United States is the most targeted country, with 109 banking apps affected, followed by the UK with 48, and Italy with 44. Mobile security experts recommend only downloading apps from official stores, scrutinizing app permissions, and being cautious about external download requests.