Daily Brief

ownCloud, a widely-used open-source file sharing platform, has reported three critical security vulnerabilities, posing serious risks to its integrity and user data. The most severe flaw, CVE-2023-49103 with a CVSS score of 10, leads to the exposure of administrator passwords, mail server credentials, and other sensitive information in containerized environments. Users are urged to delete a specific file ('GetPhpInfo.php'), disable the 'phpinfo' function in Docker, and change all compromised secrets immediately. An authentication bypass flaw in the ownCloud core library allows unauthorized file access and modifications without authentication if the attacker knows the username and a signing-key is not in use. A subdomain validation bypass within the oauth2 library permits attackers to redirect callbacks to their own domains, which could facilitate phishing attacks. The ownCloud team has provided fixes and mitigations, including library updates, to address these critical issues. Administrators are encouraged to apply the security updates promptly to protect data from potential theft, unauthorized access, and phishing attacks.

The North Korean Lazarus hacking group exploited a zero-day vulnerability in the MagicLine4NX software, used widely in South Korea for secure logins. The zero-day vulnerability enabled the group to conduct a supply-chain attack against South Korean institutions. Attackers compromised a media outlet's website, embedding malicious scripts to perform 'watering hole' attacks, targeting specific IP ranges. After triggering the vulnerability, attackers gained control of the victim's computer and connected it to their command and control (C2) servers. The hackers deployed information-stealing code within the targeted organizations' servers, enabling reconnaissance and data exfiltration activities. These advanced persistent threat (APT) activities are part of North Korea's broader strategy, including cyber espionage and cryptocurrency theft to fund national priorities. Official advisories from NCSC, NIS, and CISA provide detailed analysis on the Lazarus group's tactics and the broader implications of their operations.

Cyberattack on CTS, a managed service provider (MSP) for UK law firms, causes significant service outage. The outage is affecting numerous law firms and disrupting property transactions. CTS is investigating the incident with help from a leading cyber forensics firm and working to restore services. The company is unable to provide a specific timeline for resolution and full restoration of affected systems. Ransomware attack suspected as between 80 and 200 law firms could be impacted based on client estimates. No evidence suggests that data integrity has been compromised; systems will remain offline until safety assurances are received. CTS offers services including cyber protection, attack detection, and employee security training. The National Cyber Security Centre (NCSC) had previously warned about the risks associated with using MSP services.

Security researcher discloses a critical code injection vulnerability in OpenCart (CVE-2023-47444) with a CVSS 3 score of 8.8. OpenCart's owner, Daniel Kerr, responds aggressively to the vulnerability report, dismissing it as a "non vulnerability." Researcher Mattia Brollo attempted to contact OpenCart through multiple official channels before resorting to a public GitHub issue. Despite initial resistance and offensive remarks, Kerr eventually merged a fix for the vulnerability into OpenCart's master branch. The incident recalls similar past issues with OpenCart's security practices, including weak password-hashing algorithms and encryption methods. OpenCart is a widely-used e-commerce platform, with competitors like WooCommerce and Shopify holding larger market shares. The history of security issue reports and OpenCart's responses suggest a pattern of dismissive behavior towards community feedback on security practices.

A new analysis has exposed a Telegram bot named Telekopye, utilized by cybercriminals to conduct large-scale phishing scams. The malicious Bot, called Telekopye, enables scammers to create fake websites, emails, and SMS messages. The group operating this scheme, dubbed Neanderthals, operates in a structured manner similar to a legitimate company, recruiting members and assigning roles. Neanderthals lure victims, termed Mammoths, into fraudulent transactions using sophisticated social engineering tactics. The scams involve posing as both buyers and sellers in online marketplaces, as well as conducting refund scams to double-charge victims. Cybersecurity firm Group-IB reported that the same operation, also known as Classiscam, has amassed $64.5 million since 2019. The Neanderthals conduct careful selection of potential victims and extensive market research to increase the success rate of the scams. The criminals employ techniques to remain anonymous such as using VPNs, proxies, and TOR, and have expanded their fraudulent activities to include real estate scams.

GitGuardian has introduced a service called HasMySecretLeaked to help developers determine if their sensitive data such as passwords and API keys are present in public GitHub repositories. Rather than combing through each secret, GitGuardian utilizes a fingerprinting method that encrypts and hashes secrets, only sharing a partial hash with their systems. By employing client-side encryption and hashing, GitGuardian ensures that actual secrets are never exposed during the checking process. Users can verify the security of the HasMySecretLeaked service by examining the web interface’s network activity or inspecting the open-source command-line interface (CLI) code. Since its launch, the HasMySecretLeaked service has been used to check over 9,000 secrets within the first few weeks. The service allows for free checking of up to five secrets per day via the web interface, with additional checks available through the GitGuardian shield CLI. GitGuardian’s initiative provides an example of how companies can enable customers to securely check for data exposure without compromising the data itself.

Cybersecurity researchers have identified a Rust-powered version of SysJoker, a cross-platform backdoor, targeting Israel. The backdoor has been attributed to a Hamas-linked threat actor amid the conflict with Israel. SysJoker gathers system information and can remotely execute commands, download, and execute new malware. The updated version of SysJoker employs Rust language and uses Microsoft's OneDrive for dynamic command-and-control server URLs. Check Point's analysis indicates that the use of OneDrive enables attackers to swiftly change C2 addresses, complicating detection efforts. The evolution of SysJoker includes enhanced evasion techniques, such as random sleep intervals. Two previously undetected, more complex SysJoker samples were discovered for Windows systems, featuring multi-stage execution. Connections between the updated SysJoker backdoor and Operation Electric Powder were found, hinting at consistent threat actor involvement over several years.

Kubernetes configuration secrets from several Fortune 500 firms, including two top blockchain companies, were exposed in public repositories. Aqua Security identified 438 records on GitHub with potential access credentials to container image registries, 46% of which had valid credentials. Access provided by the credentials included both pulling and pushing rights, often exposing private container images. Researchers noted that nearly half of the uncovered manually set passwords were weak, highlighting the need for robust organizational password policies. Despite inadvertent exposure, all AWS and Google Container Registry credentials were temporary and expired, negating the risk of unauthorized access. GitHub Container Registry's mandatory two-factor authentication provided added security against potential breaches. Some exposed keys had minimal privileges or were encrypted, reducing risks; however, this incident underlines general concerns about vulnerabilities and misconfigurations as major security issues within container environments.

Fidelity National Financial (FNF), a Fortune 500 insurance company, was the target of a significant ransomware attack. FNF was compelled to shut down key systems following the cybersecurity incident, affecting title insurance and other services. The attack's specifics, including the extent of data compromise, are under ongoing investigation. Ransomware group ALPHV/BlackCat claimed responsibility for the breach and has suggested it holds undisclosed information. The probable attack vector may have been a recently patched critical vulnerability in Citrix Netscaler devices, known as "CitrixBleed." Despite the availability of patches, many organizations were still exposed to the CitrixBleed vulnerability a month after the fix was released. The cyber incident disrupted operations not only for FNF but also for the broader real estate market, delaying home purchases and closings.

An ongoing phishing campaign, utilizing Russian-language Microsoft Word documents, has been identified as the work of a North Korean threat actor known as Konni. Konni, thought to be associated with Kimsuky (APT43), deploys malware through these documents to collect sensitive data from infected Windows devices. Recent attacks have exploited the WinRAR vulnerability (CVE-2023-38831) and used obfuscated scripts to install a Remote Access Trojan (RAT) and data harvesting batch scripts. The threat actor focuses on espionage, consistently refining their techniques to avoid detection while aiming to exfiltrate data. Fortinet has detailed the latest attack method, which involves a macro-enabled Word document that unleashes a sequence leading to the deployment of a DLL payload with data gathering and exfiltration functions. The North Korean cyber espionage group Konni, as well as other groups such as Lazarus and ScarCruft, have heightened their focus on Russian targets, including trading firms and missile engineering companies. Russian cybersecurity entity Solar reported that Asian threat actors, predominantly from China and North Korea, are principally accountable for attacks on Russian infrastructure.

Zero2Automated offers a Black Friday to Cyber Monday 25% discount on malware analysis courses, including the 'Ultimate Malware Reverse Engineering Bundle'. Courses were created by renowned reverse engineers Vitali Kremez and Daniel Bunce, providing over 25 hours of content and a collaborative online community. The sale is available from November 23rd at 14:00 GMT to November 27th at 23:59 GMT, with the discount code BLACKFRIDAY. The course features lifetime access, over 1,000 peer/teacher interactions, and regular real-world malware challenges. The 'Ultimate Malware Reverse Engineering Bundle' includes three courses designed to take participants from beginner to advanced levels. Purchases include a 10% discount on IDA Pro Named License or IDA Home subscription, enhancing the toolkit for malware analysis. BleepingComputer endorses the quality of the course without receiving any commission, underscores the uniqueness and educational value of the content.

The UK and Republic of Korea (ROK) issued a joint advisory warning about North Korean cyberattacks on software supply chains. Attacks show increased sophistication, leveraging zero-day and N-day vulnerabilities, aiming at espionage and theft of intellectual property. Targets include government entities, the financial sector, and defense industries worldwide. Notable attacks include compromising the MagicLine4NX security software and exploiting a zero-day in the Windows version, while implementing a similar attack strategy on the 3CX desktop app for both Windows and macOS systems. The Lazarus group, associated with North Korea, has been identified as perpetrating these attacks, with motives aligned with North Korean state priorities. Microsoft also reported a supply chain attack on CyberLink's multimedia software, which targets systems not running specific EDR security solutions. Advisories recommend increased vigilance, application of security updates, enabling 2FA, and monitoring for anomalous network traffic to mitigate threats.

A new malware loader called WailingCrab is being delivered via emails with shipping-related themes. IBM X-Force researchers reveal WailingCrab consists of multiple components aimed at stealth and avoiding detection. The malware is attributed to the threat actor TA544, also known as Bamboo Spider or Zeus Panda, and is being used to deposit further malicious payloads. WailingCrab incorporates techniques such as utilizing legitimate hacked websites and platforms like Discord for command-and-control (C2) operations. Recent updates to the malware include utilizing MQTT, a lightweight messaging protocol, which is rare in the threat landscape for C2 communications, enhancing its evasiveness. The attack begins with an email containing a PDF attachment that leads to downloading a JavaScript file via Discord, ultimately installing a backdoor that communicates with the C2 server. Newer versions of WailingCrab encrypt the backdoor component and eliminate the need for payload retrieval from Discord, instead using MQTT for direct shellcode payload from C2. Discord has acknowledged the abuse of their CDN for malware distribution and plans to implement temporary file links to counteract misuse.

Ransomware attack on London & Zurich caused a significant service outage, starting on November 10, with the attack confirmed on November 14. Clients experienced major disruptions with direct debit payments, leading to cash flow issues and the necessity for short-term loans for at least one customer. Communication from London & Zurich has been sparse and unclear, causing uncertainty amongst clients regarding service restoration. The affected MSP managed to process its first payment since the attack began, leveraging bank loans and director funds to cover financial shortfalls. London & Zurich has stepped up recovery efforts, with API services restored and pending testing on other service areas, expecting full restoration by week's end. Some components of the service, such as customer password rotations, have been completed in anticipation of the direct debit portal going live by November 23. There is no definite timeline for service normalization, and the company has not provided details about the nature of the breach, the attackers, or the extent of data compromise.

An ongoing malware campaign is using zero-day vulnerabilities to infect routers and NVRs with a Mirai-based botnet, capable of conducting massive DDoS attacks. Akamai has detected the payload targeting devices with default admin credentials, installing Mirai variants upon successful exploitation. The zero-day vulnerabilities are currently undisclosed publicly to prevent further misuse, with patches expected to be released in the upcoming month. The botnet, named InfectedSlurs by Akamai, is identified as a variant of the JenX Mirai malware first seen in January 2018, and is linked to the hailBot Mirai variant identified by NSFOCUS in September 2023. Akamai also described a newly advanced web shell, wso-ng, which can stealthily execute commands and steal data, potentially aiding in cyber espionage activities. Attackers have adopted methods such as using legitimate but compromised domains for command-and-control and distribution of malware, with a significant attack involving WordPress sites disclosed by Infoblox in August 2023, attributed to the VexTrio threat actor.