Daily Brief

Signal has upgraded its communication protocol to use quantum-resistant encryption keys, defending its users from future potential threats posed by quantum computers. Quantum computers, which use qubits for computations, show potential to weaken current encryption schemes by decrypting protected data quickly. Predictions for the emergence of quantum computers powerful enough to perform such tasks fluctuate, leading to a "harvest now, decrypt later" risk that necessitates the adoption of quantum-resistant algorithms now. Signal uses a key agreement protocol called PQXDH (Post-Quantum Extended Diffie-Hellman) to generate quantum-resistant secret keys, replacing its earlier X3DH (Extended Triple Diffie-Hellman) protocol. PQXDH uses both X3DH's elliptic curve key agreement protocol as well as a post-quantum key encapsulation mechanism called CRYSTALS-Kyber. This change is the first in a series of adaptations from Signal to ensure quantum-resistant End-to-End encryption (E2EE) as the tech environment evolves. Future upgrades will aim to fill data security gaps or address emerging challenges from ongoing research.

IBM’s annual Cost of a Data Breach Report reveals an increase in data breach costs to $4.45 million on average in 2023. One key contributor to escalating costs is the rising expense of incident investigations, referred to as 'detection and escalation'. The report shows that detection and escalation costs averaged $1.58 million per breach, representing over 35% of the total average cost. Mitigation strategies to reduce data breach investigation costs include robust information governance, ongoing employee security training, continuous vulnerability management, simulated cyberattacks, and the use of Cyber Threat Intelligence (CTI) to expedite response to breaches. Despite the demonstrated effectiveness of CTI, 79% of security professionals report making decisions without the use of threat intelligence. This is due to factors such as the time-consuming nature of gathering CTI and ongoing labor market shortages in this field. Outpost 24 recommends utilizing modular Cyber Threat Intelligence such as its Threat Compass to navigate swiftly and efficiently through data breaches. This approach enables prioritization of intelligence types most relevant to a company's specific business, sector, and areas of cyber risk.

A hacker utilised a fake proof-of-concept (PoC) exploit for a recently fixed WinRAR vulnerability on GitHub to infect users with the VenomRAT malware; the malicious code was posted on Github in August 2023. The fake PoC was linked to a vulnerability that allowed arbitrary code execution when special RAR files were opened on older versions of WinRAR. A threat actor known as 'whalersplonk' capitalised on this vulnerability quickly, spreading malware under cover of exploit code for the new WinRAR vulnerability. When executed, the fake PoC created a batch script, which then downloaded and executed an encoded PowerShell script and the VenomRAT malware onto the host device. Once active, VenomRAT runs a keylogger that records keystrokes and writes them into a local text file, and makes contact with a C2 server which issues commands for execution on the infected device. The actor likely prepared well ahead of the public disclosure of the WinRAR flaw, suggesting a similar pattern may be deployed in future for other vulnerabilities. In recent years, crooks have increasingly exploited the GitHub platform to promote fraudulent PoCs for a variety of vulnerabilities, often deploying malware, malicious PowerShell scripts and Cobalt Strike droppers.

Hackers have been employing two new types of malware HTTPSnoop and PipeSnoop to attack telecom service providers in the Middle East and remotely execute commands on the compromised devices. Cisco Talos' report identifies that these malware belong to an intrusion set named 'ShroudedSnooper'. While both serve different operational aims related to their level of infiltration, they've been concealed as security components of the Palo Alto Networks Cortex XDR product to avoid detection. HTTPSnoop utilizes low-level Windows APIs to scrutinize HTTP(S) traffic on the infected device for specific URLs. The malware decodes base64-encoded data from these URLs and runs it as a shellcode on the affected host. Cisco discovered three variants of HTTPSnoop, each with different URL listening patterns and appeared to imitate legitimate URL patterns from Microsoft Exchange Web Services. Detected in May 2023, PipeSnoop behaves as a backdoor that performs shellcode payloads on violated endpoints through Windows IPC (Inter-Process Communication) pipes. Notably, it seems more applicable for operations deep within compromised networks. Telecom service providers become targets for state-supported threat actors due to their critical roles in managing significant infrastructure and transferring highly sensitive information. This highlights the increasing necessity for improved security measures and international collaboration to protect them.

Threat intelligence provider, VulnCheck, has found that 79% of public-facing Juniper SRX firewalls are vulnerable to a security flaw allowing unauthenticated remote code execution. Juniper identified and addressed five security flaws affecting all versions of Junos OS on SRX firewalls and EX series switches in an out-of-cycle security bulletin on August 17. The five flaws consist of two PHP external variable modification vulnerabilities and three "missing authentication for critical function" vulnerabilities. These flaws rate as 5.3 on the ten-point CVSS severity scale, however, when combined they achieve a critical 9.8 CVSS score. Juniper attempted to resolve the issues and updated their advisories on 7th September following the publication of a proof-of-concept exploit by security researches. Despite Juniper's action, VulnCheck believes that approximately 15,000 internet-facing firewalls remain unpatched and vulnerable. VulnCheck has released a free scanning tool able to identify vulnerable firewalls and advises all affected to apply patches as soon as possible.

The US Justice Department has charged a Russian national, Maxim Marchenko, for allegedly smuggling over $1.6 million worth of microelectronics, potentially for use in Russia's conflict with Ukraine. Marchenko allegedly utilised shell companies in Hong Kong to procure these US-sourced OLED displays that can be used in different weapon systems. These products were headed to end users in Russia. The charges put forth by the authorities include conspiracy to defraud the US, money laundering, smuggling goods from the US and wire fraud. If convicted on all counts, he faces up to life imprisonment. Marchenko and two other alleged co-conspirators are accused of running an illegal procurement network in Russia, Hong Kong and elsewhere from May 2022 to August 2023. The main aim of this network was to purchase micro-displays from an unnamed American company based in Dutchess County, New York, believed to be eMagin, and smuggle them to Russia. After the invasion of Ukraine in February 2022, eMagin stopped selling their products to Russian customers. Therefore, shell companies were allegedly set up by Marchenko and his partners to bypass eMagin's Russia ban and to avoid US export regulations. Importantly, the network allegedly fooled the US manufacturer by stating that the shipments were going to end-users in China and Hong Kong for non-military applications.

The Clorox Company, a major household cleaning product manufacturer, confirmed having suffered a cyberattack that caused widespread disruption to its operations. Although the company has not disclosed whether any data was extracted or the time of the attack, they reported that certain systems were voluntarily taken offline as a precautionary measure. The attack has resulted in significant financial implications for the company, which they predict will be evident in the next quarterly results due to order processing delays and a high level of product outages. The company has been forced to return to manual order processing procedures and believes that it will take until near the end of the month to return to normal automated order processing. The extent of the financial and business impact is still under review and it is currently uncertain how long it will take for operations to be fully normalized.

Australia plans to construct 'six cyber shields' as part of a national cybersecurity strategy. The initiative is scheduled for completion by 2030, the time by which the country aims to be a global leader in cybersecurity. This announcement was made by Clare O'Neill, Home Affairs Minister, during a seminar on cybersecurity. Joe Longo, chair of corporate regulator the Australian Securities and Investments Commission (ASIC), underscored that cybersecurity and resilience are not merely technical aspects but intrinsic to directors' duties. He further warned that lack of adherence to these responsibilities could result in failures to meet regulatory obligations, potential board member liability for losses, and possible civil or even criminal penalties. Longo criticised the 'vaccination theory of cybersecurity', which assumes a one-time intervention is enough, and urged directors to persistently manage supply chain and vendor risks. He called for the development of crisis plans, inclusive of third-party suppliers and vendors, to facilitate coordination with customers, regulators, and markets during security breaches. Citing data from an ASIC survey, Longo stressed the importance of identifying and protecting critical information, especially when managed by a third party.

Researcher Dr Jacob Appelbaum has alleged that semiconductors made by Cavium, a company acquired in 2018 by Marvell, had backdoors implemented for US intelligence. The claims were mentioned in Appelbaum's recently-published PhD thesis, citing information from the Snowden leaks. Marvell has denied the allegations. Marvell said that neither company ever put backdoors in their products for any government. They also note their adherence to security protocols and standards in their products. Appelbaum responded by elaborating that the alleged backdoor could simply be the companies' implementation of weak yet standardized cryptography algorithms that the NSA encouraged suppliers to adopt for the purpose of exploitation. In his email response to Marvell’s reply, Appelbaum also questioned whether Marvell performed an internal review of Cavium intellectual property during their acquisition. He suggested that Marvell had not conducted an internal audit to detect possibly infiltrated technologies. No answers have yet been provided to Appelbaum's questions. Appelbaum compared his narrative to 2018's allegations about Supermicro server motherboards containing spy chips. He also criticized media organizations for redacting rather than reporting the names of American companies allegedly sabotaged by the NSA as per project BULLRUN and similar programs. A former U.S. chipmaker executive mentioned that a decade ago the government sought chip security information but the firm rejected these, fearing the financial risk of being discovered as hole-plugging its devices. The executive suggested that other companies might have yielded to government pressure.

The China-linked threat actor, Earth Lusca, is targeting global government entities, largely concentrating on those involved in foreign affairs, technology, and telecommunications from Southeast Asia, Central Asia and the Balkans, through a newly-developed Linux backdoor named SprySOCKS. Initially documented by Trend Micro in January 2022, Earth Lusca has been active since 2021, using spear-phishing and watering hole attacks for its cyber espionage operations, extending to include actions related to another threat called RedHotel. Public-facing Fortinet, GitLab, Microsoft Exchange Server, Progress Telerik UI, and Zimbra servers are being exploited for delivering web shells and the Cobalt Strike tool to facilitate lateral movement. In addition to documents and email account credentials, the group aims to deploy advanced backdoors like ShadowPad and the Linux version of Winnti for long term espionage activities. The Linux backdoor, SprySOCKS, attending the Cobalt Strike and Winnti delivery server, can collect system information, start an interactive shell, create and terminate SOCKS proxy, and perform several file and directory operations. Researchers suggest continuous update and patching of tools, software, and systems for mitigating potential threats and reducing the chances of a successful breach in the organization's security.

Deep Instinct has identified a new malware campaign, dubbed Operation Rusty Flag, which has been singled out targets in Azerbaijan. The operation has not been linked to any known threat actor or group. The operation uses at least two different initial access vectors, with one of the lures being a modified document previously used by the Storm-0978 group. This may be a deliberate 'false flag' operation. The attack chain leverages an LNK file as a launchpad to retrieve a second-stage payload an MSI installer hosted on Dropbox. This drops a Rust-written implant, an XML file for a scheduled task to execute the implant and a decoy image file featuring watermarks of the Azerbaijan Ministry of Defense symbol. The alternate infection vector exploits a six-year-old memory corruption vulnerability in Microsoft Office's Equation Editor. Notably, the hackers used a lure with the same filename previously leveraged by Storm-0978 in recent cyber attacks targeting Ukraine. The Rust backdoor comes with capabilities of gathering information from the compromised host and sending it over to an attacker-controlled server.</s> Experts note that the end goals of this campaign remain unclear but the possibility of it being a red team exercise cannot be discounted. Furthermore, the popularity of Rust among malware authors is growing as it currently evades detection by security products and makes the reverse engineering process complicated.

Researchers at ANY.RUN have explored the latest version of the XWorm malware, a persistent and evolving threat, with enhanced functionality due to a series of updates since its inception in 2022. The sample was initially distributed via MediaFire, a file-hosting service, and was found in a RAR archive protected by a password. Upon execution, it was identified as XWorm. Tactics, Techniques, and Procedures (TTPs) deployed by XWorm include adding its shortcut to the Startup directory, restarting itself with elevated privileges through the task scheduler, installing software in the Public directory, and attempting to connect to a remote server. One notable aspect of the latest XWorm activity is its evolved evasion techniques. The malware now queries a special service to detect if it's running in a virtualized environment, and shuts down when such an environment is detected. Using the Residential Proxy feature in the sandbox settings, the ANY.RUN team replaced the virtual machine's datacenter IP address with one from an actual ISP, tricking the malware into thinking it was running on a user's machine. In addition, XWorm was found to deploy various detection and checking mechanisms, such as virtualization detection (VmWare or VirtualBox), debugger and Sandboxie detection, and datacenter IP checks. The malware also employed the registry and task scheduler for persistent presence on the system. With further static analysis, the team noted XWorm's heavy obfuscation, the discovery of a configuration block presumably containing settings, and a process for decrypting incoming base64 strings.

Middle Eastern telecom service providers are being targeted by a new intrusion set named ShroudedSnooper that deploys a stealthy backdoor called HTTPSnoop. Cisco Talos explains that HTTPSnoop interfaces with Windows HTTP kernel drivers and devices, listens for incoming requests for specific HTTP(S) URLs and executes the content on the infected endpoint. The threat actor also uses a related implant called PipeSnoop, which can accept and execute arbitrary shellcode from a named pipe on the infected endpoint. It is suspected that ShroudedSnooper gains initial access through exploited internet-facing servers, using the two malware to impersonate components of PaloAlto Networks' Cortex XDR Application. The malware employs low-level Windows APIs to listen for incoming requests matching predefined URL patterns, extracting the affiliated shellcode for execution on the host. Cisco Talos advises that the PipeSnoop implant likely operates further within a compromised enterprise and is probably used against endpoints that the malware operators deem more valuable or high-priority. The pattern of attacks on the telecom sector in the Middle East has been consistent in recent years, with additional breaches orchestrated by Lebanese Cedar, MuddyWater, BackdoorDiplomacy, WIP26, and Granite Typhoon also documented.

GitLab has issued security updates to rectify a high severity vulnerability that could allow attackers to execute pipelines on behalf of other users via scheduled security scan policies. The vulnerability, designated as CVE-2023-4998, affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7 and versions 16.3 through 16.3.4. The flaw was discovered by security researcher Johan Carlsson, as a bypass of another previously fixed medium-severity problem known as CVE-2023-3932, the severity of the current flaw has been upgraded to critical. The flaw could enable attackers to access sensitive information or misuse the permissions of the impersonated user to run code, modify data or trigger specific events within the GitLab system; the potential consequences could include loss of intellectual property, data leaks, and supply chain attacks among other high-risk scenarios. GitLab advises users to promptly apply the security updates; for users of versions prior to 16.2, the suggested mitigation is to avoid having both "Direct transfers" and "Security policies" turned on simultaneously. Users can download the update from official GitLab resources or obtain GitLab Runner packages from an official webpage.

The International Criminal Court (ICC) revealed that its systems have been compromised due to a cyberattack detected last week, but specifics about the breach details are not yet available. The ICC responded promptly to mitigate the impact of the security incident and initiated investigations with the help of Dutch authorities, the ICC's host nation. The extent and nature of the attack, including any access or extraction of data from the ICC's network, have yet to be determined. As a reaction to the breach, the ICC expressed intent to bolster its cybersecurity defenses, specifying a faster move toward adopting cloud technology. The ICC is an international tribunal that deals with serious global offences like war crimes and genocides, with 123 member nations. It is yet unclear whether this cyberattack will impact the court's operations.