Daily Brief

Ensuring all team members are well-educated on cybersecurity threats is fundamental for effective incident response (IR). Regular training and incident simulations for IR teams are essential for preparedness against evolving cyber threats. Adopting a comprehensive IR plan with clear roles, responsibilities, and response strategies is crucial for coordinated action. Technology plays a pivotal role in IR; efficient logging, endpoint detection and response (EDR), and ample storage for data analysis are vital components. Identification of a breach involves balancing alert settings to avoid alert fatigue and documenting Indicators of Compromise (IOCs). Containment strategy should take into account security and business implications, focusing first on critical devices and assets. Eradication of threats should be thorough, aligning with organizational policies, and involve documentation and verification processes. Post-incident recovery should include monitoring for persistent IOCs and implementing root cause fixes to prevent future occurrences. Lessons learned are key for improving future IR capabilities, updating strategies, technologies, processes, and training programs.

Social engineering attacks are increasingly used by hackers to gain unauthorized access to sensitive data, exploiting human elements rather than technical vulnerabilities. An incident at MGM Resorts International highlighted this tactic, resulting in a substantial financial impact estimated at $100 million in lost revenue. Attackers at MGM persuaded an employee to reveal sensitive credentials over the phone, then escalated privileges to deploy ransomware within the IT systems. Similar techniques were used against an energy firm in the UK via AI voice impersonation and against Electronic Arts, leading to network breaches. To address these challenges, Specops offers Secure Service Desk, providing dynamic multi-factor authentication to ensure verifiable identity confirmation. Identity verification options include mobile or email codes, and integration with major Identity Access Management (IAM) tools, enhancing IT help desk security measures. Organizations are advised to strengthen their verification processes to protect against social engineering, with Specops offering free trials and demos of Secure Service Desk to demonstrate its effectiveness.

Akamai has discovered two zero-day vulnerabilities being used to distribute Mirai malware and create a DDoS-capable botnet. The zero-days allow for remote code execution and target routers and network video recorders using default passwords. Patches are expected in December; an interim fix includes changing default passwords to avoid vulnerability. Akamai's Security Intelligence Response Team (SIRT) has not named the affected vendors but published Snort and YARA rules to detect compromises. The campaign exploits common features that may be present across multiple products, possibly due to code reuse. The InfectedSlurs botnet, which includes older JenX and hailBot Mirai code, was undetected by honeypots until October. Links between the botnet and offensive language in its C2 domains, and past activities in DDoS attacks have been identified by Akamai researchers.

North Korean group Diamond Sleet has trojanized CyberLink software to launch a supply chain attack. Over 100 devices in Japan, Taiwan, Canada, and the U.S. affected by the modified CyberLink installer. The malicious installer checks to bypass detection by security tools and limits the time of execution. Microsoft linked the malware to C2 servers previously compromised by North Korean threat actors. The attackers targeted organizations in the defense, telecommunications, and financial sectors. Malware skips execution if security products from CrowdStrike, FireEye, or Tanium are detected. The campaign involves a downloader/loader that retrieves additional payloads disguised as PNG files. This incident follows reports of North Korean actors using fake job interviews and exploiting critical security flaws in JetBrains TeamCity for cyber espionage.

New Relic, a web tracking and analytics company, has alerted its customers to a cybersecurity incident. The company is engaging third-party cybersecurity experts to conduct an investigation into the event. Customers have been advised to be vigilant and monitor their accounts for any suspicious activity, indicating potential account compromise. Details about the nature of the incident, the extent of any data access, and specific customer actions required are currently scarce. New Relic has advised customers they will be contacted directly if any actions need to be taken on their part. The advisory's timing coincides with the US Thanksgiving holiday, which may impact the response from US-based customers. The Register's inquiries for more detailed information about the incident were not answered by New Relic.

North Korean state-sponsored actors are targeting job seekers and employers in sophisticated hacking schemes, according to Palo Alto Networks' Unit 42. The "Contagious Interview" campaign lures software engineers into downloading malware-infected NPM packages from GitHub, ostensibly for job interviews. The "Wagemole" operation involves actors impersonating job applicants for espionage and financial gain, with high confidence in its link to North Korea. Discovered in December 2022, these schemes involve faux recruiters and job postings in tech fields like AI, cryptocurrency, and NFTs. Two previously unknown malware families, BeaverTail and InvisibleFerret, were used to steal information, including credit card and cryptocurrency wallet details. The objectives of these campaigns appear to include using compromised systems as platforms for additional attacks and stealing cryptocurrency. Unit 42 found fraudulent documents and well-maintained LinkedIn and GitHub profiles designed to make the fake personas seem legitimate. The US Justice Department and FBI note these tech workers contribute their earnings to North Korea's weapons funding, a concern echoed by South Korea's government.

Security researchers from Blackwing Intelligence have found ways to bypass Windows Hello's fingerprint authentication. The vulnerabilities were discovered in laptops from Dell, Lenovo, and Microsoft, using fingerprint sensors from different manufacturers. Blackwing Intelligence's work was commissioned by Microsoft's Offensive Research and Security Engineering group and presented at the BlueHat conference. The method involved booting a laptop into Linux, using a sensor's driver to store a new fingerprint with the same ID as a Windows user, and tricking the chip into using the Linux database through a man-in-the-middle device. The implementation flaws allow someone with physical access to a device to log in as the user associated with a fingerprint without actually having that person's fingerprint. Microsoft indicates that the issues have been addressed by vendors, and users should check for updates or errata. The researchers recommend that device makers should not include these design flaws and that users implement additional security measures, such as boot passwords.

Unusual cybercriminal group, self-identified as "gay furry hackers" known as SiegedSec, claims to have breached the Idaho National Laboratory's systems. The hackers reportedly stole and leaked personal data of employees, including Social Security numbers, addresses, and bank details. The cyberattack targeted a third-party vendor system associated with the lab’s cloud HR services. Idaho National Laboratory acknowledges the cyberattack, has involved law enforcement, and is taking action to secure employee data. The group has issued an odd ransom demand, offering to remove the leaked information if the lab engages in research to create "IRL catgirls," a nod to an internet meme. The INL is a critical part of America's nuclear research infrastructure, employing over 6,100 people and operating the world's densest concentration of nuclear reactors. Motivations for the attack remain ambiguous, with SiegedSec previously citing human rights issues and the enjoyment of leaks as reasons for their NATO breach.

Kansas Judicial Branch suffered a cybersecurity incident last month, resulting in stolen sensitive files containing confidential information. Hackers impacted the availability of systems including document submission, electronic payment systems, and case management systems for district and appellate courts. Over a month after the incident, vital court services remain offline, with no clear resolution timeline provided. The data theft includes Office of Judicial Administration files, district court case records, and possibly other confidential data. The incident has the hallmarks of a ransomware attack, including system disruption and threats to publish stolen data unless a ransom is paid. The specific type of cyberattack has not been disclosed, and no ransomware groups have claimed responsibility yet. The Kansas authority is estimating several weeks to restore all systems and plans to notify all individuals impacted by the data breach. The public statement characterized the incident as an attack against all Kansans and condemned the perpetrators.

Security researchers from Blackwing Intelligence bypassed Windows Hello fingerprint authentication on laptops from Dell, Lenovo, and Microsoft. The vulnerability was in the embedded fingerprint sensors on the Microsoft Surface Pro X, Lenovo ThinkPad T14, and Dell Inspiron 15. These Match-on-Chip (MoC) sensors, which perform fingerprint matching internally, were exploited through man-in-the-middle (MiTM) attacks using a customized Raspberry Pi. Sensitive data and communication should have been protected by Microsoft’s Secure Device Connection Protocol (SDCP), but the protocol was not enabled on two devices and improperly implemented on the third. On the Dell and Lenovo laptops, attackers bypassed authentication by enrolling an attacker’s fingerprint using a legitimate user’s ID. On the Microsoft device, researchers spoofed the fingerprint sensor, taking advantage of unprotected cleartext USB communication. Blackwing Intelligence recommends that manufacturers enable and correctly implement SDCP to protect against such attacks. Microsoft notes an increase in users signing into Windows 10 with Windows Hello, highlighting the importance of securing biometric authentication methods.

Welltok, a Healthcare SaaS provider, experienced a major data breach exposing the personal data of approximately 8.5 million U.S. patients. The breach occurred due to a hack of the company's file transfer program, MOVEit, which was previously targeted by the Clop ransomware gang exploiting a zero-day vulnerability. Personal data exposed in the breach comprise full names, email addresses, physical addresses, telephone numbers, and in some cases, sensitive information like Social Security Numbers, Medicare/Medicaid IDs, and health insurance details. The breach was first acknowledged by Welltok in late October when a notice was published, despite the firm having applied all available security updates from the vendor at the time. Numerous healthcare providers across multiple states, including Minnesota, Alabama, Kansas, North Carolina, Michigan, Nebraska, Illinois, and Massachusetts, have been affected. The breach ranks as the second-largest MOVEit incident to date next to the Maximus breach, according to reports filed with the U.S. Department of Health and Human Services breach portal.

North Korean group Lazarus hacked CyberLink, trojanizing an installer for a supply chain attack. Trojans found within CyberLink installers detected on devices in multiple countries including the US and Japan. Microsoft attributes the attack to the group known as Diamond Sleet, with high confidence. Attack involves a second-stage payload interacting with previously compromised infrastructure. Microsoft added the legitimate CyberLink certificate used for signing the malware to its disallowed list. Malware targets systems not protected by specific security software, downloads second-stage payload disguised as a PNG. No hands-on-keyboard activity detected post-breach, but Microsoft has informed affected parties and removed payloads from GitHub.

A novel Mirai-based botnet, dubbed 'InfectedSlurs,' is exploiting zero-day vulnerabilities to infect network video recorders (NVRs) and routers for DDoS attacks. Cybersecurity firm Akamai detected the malware, which became active in late 2022 and was first observed on their honeypots in October 2023. The malware exploits two unpatched remote code execution (RCE) vulnerabilities in devices from unnamed vendors who are working on patches due for release in December 2023. Akamai’s investigation revealed that the botnet uses default vendor credentials for infection and targets a specific NVR manufacturer, along with routers popular in homes and hotels. The botnet's C2 infrastructure largely supports DDoS operations, and analysis suggests it is only minimally altered from the original Mirai, lacking a persistence mechanism. Device owners are advised to reboot their NVR and router devices to temporarily disrupt the botnet until patches are available.

The malware known as Lumma can allegedly restore expired Google authentication cookies to gain access to user accounts. Lumma's developers offer this feature to subscribers of their highest-tier plan, costing $1,000 per month. Session cookies, which are typically short-lived for security, can apparently be resurrected by the malware, potentially bypassing standard security measures. The cookie restoration capability has been announced but not yet confirmed by independent security researchers or Google. Google was contacted for comments on this vulnerability but has not yet provided a response. The malware developers claim to have updated Lumma to circumvent new restrictions by Google designed to prevent such cookie restoration. Users are advised to avoid malware infection by not downloading files from unreliable sources and being cautious with search engine results to safeguard their accounts until Google addresses the issue.

The Blender project has been experiencing ongoing DDoS attacks since Saturday, causing significant site outages and service disruptions. As a widely-used open-source 3D design suite, Blender's inability to process legitimate requests has severely impacted creators relying on their services. Blender's team has been actively combating the attacks, but efforts to block the attackers' IP ranges were futile as they rapidly shifted to new locations. In response to the continual issues, the team moved Blender's main website to CloudFlare, effectively reducing the severity of the attack's impact. Over 240 million fake requests have been launched against Blender's servers, as reported by the company's COO, Francesco Siddi. While the identity and motives of the perpetrators behind the DDoS attacks remain unknown, the risks, including potential service interruptions and malware infections from unofficial downloads, are still present for users.